Name: Environment and Setup Variables can be Viewed through
Date: 28.01.2001
Problems:The script allows several environment variables to
be viewed by the attacker, who can gain useful information
on the site, making further attacks more feasible.
Analysis:webpage.cgi dumps useful information (e.g. script
location, HTTP root, version of Perl, server_admin,
server_name, path) to the browser when the database file
provided is incorrect. Exploits: If site does not contain a
file named ukr.htm, thus the following URL displays the
environment dump (note: this url may not work as the vendor
has applied the patch to the site. However, a similar url,
when applied within the necessary modifications to an
unprotected site would yield the desired result.)
Author: UkR_XblP
Get your free e-mail address at

Reply via email to