Info

Disclosure

Apr 23, 2002

Discovery

Apr 23, 2002

Dates

Exploit

Apr 23, 2002

Solution

Unknown

Description

csMailto.cgi contains a flaw that may allow a malicious user to access arbitrary files on the server. The issue is triggered when a hidden form field value is modified. It is possible that the flaw may allow execution of arbitrary commands on the system resulting in a loss of confidentiality.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Confidentiality
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Upgrade to version 2.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

CGIscript.NET, LLC.

csMailto

1.0

References

CVE ID: 2002-0750 (see also: NVD)
Related OSVDB ID: 6504 6506 6507
ISS X-Force ID: 9804
Keyword: form-attachment
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-04/0326.html
Vendor URL: http://www.cgiscript.net
http://www.cgiscript.net/
Vendor Specific Advisory URL: http://www.cgiscript.net/cgi-script/csNews/csNews.cgi?database=cgi.db&command=vie ......

Credit

Steve Gustin - stegus1yahoo.com -

Direct URL: http://osvdb.org/36218