Name: Environment and Setup Variables can be Viewed through webpage.cgi Date: 28.01.2001 Problems:The script allows several environment variables to be viewed by the attacker, who can gain useful information on the site, making further attacks more feasible. Analysis:webpage.cgi dumps useful information (e.g. script location, HTTP root, version of Perl, server_admin, server_name, path) to the browser when the database file provided is incorrect. Exploits: If site does not contain a file named ukr.htm, thus the following URL displays the environment dump (note: this url may not work as the vendor has applied the patch to the site. However, a similar url, when applied within the necessary modifications to an unprotected site would yield the desired result.) Author: UkR_XblP Exploit: http://www.victim.org/cgi-bin/replicator/webpage.cgi/313373/ukr.htm Get your free e-mail address at http://www.zmail.ru
