[Snort-sigs] rule documentation for WEB-CGI php.cgi access

Josh.Sakofsky at ...1573... Josh.Sakofsky at ...1573...
Fri Jun 6 12:07:27 EDT 2003

Rule: WEB-CGI php.cgi access

Sid: 824

Summary: A remote user has tried access the php.cgi script. Some versions 
of this script can allow access to any file the
server can read.

Impact: Medium

Detailed Information: Because of a design problem in this version of 
PHP/FI, remote users are able to access any file that the UID of the http
process has access to. The exploit is simple 
(http://somewebserver/php.cgi?/path/to/desired/file) and can be used with 
malicious intent.

Affected Systems: PHP/FI 2.0

Attack Scenarios: An attacker can simply pass a file name to the script 
and be able to view the file if the web server has access
to it. This can be used to obtain passwords or other sensitive 

Ease of Attack: Trivial

False Positives: None Known

False Negatives: None Known

Corrective Action: Upgrade or remove the file php.cgix

Contributors: Original rule writer unknown.
              Josh Sakofsky
Additional References: http://www.whitehats.com/info/IDS232
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030606/6019aeb6/attachment.html>

More information about the Snort-sigs mailing list