Summary
The Apache 2.0.x Win32 installation is shipped with a default script, /cgi-bin/test-cgi.bat, that allows an attacker to execute commands on the Apache server (although it is reported that any .bat file could open this vulnerability.)
An attacker can send a pipe character with commands appended as parameters, which are then executed by Apache.
Solution
This bug is fixed in 1.3.24 and 2.0.34-beta, or remove /cgi-bin/test-cgi.bat
Severity
Classification
-
CVE CVE-2002-0061 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Weborf 'get_param_value()' Function HTTP Header Handling Denial Of Service Vulnerability
- Apache Open For Business Weak Password security check
- RDS / MDAC Vulnerability (msadcs.dll) located
- Apache Traffic Server Synthetic Health Checks Remote DoS Vulnerability
- PHP Built-in WebServer 'Content-Length' Denial of Service Vulnerability