Rule:  
--

Sid:
1163

--

Summary:
Someone may have attempted to execute arbitrary commands on an IRIX web server
using a vulnerability in webdist.cgi

--
Impact:
An attacker may have been able to execute any command on the web server
that the web server user can run.

--
Detailed Information:
IRIX versions 5.0 through 6.3 contain a CGI script by default
(/var/www/cgi-bin/webdist.cgi) for remote administration purposes.
This script, as originally released by SGI, contains a vulnerability
that can allow an attacker to run any arbitrary command that
the web server user has access to.

--
Affected Systems:
 
--
Attack Scenarios:
Attacker sends a simple URL like the following:
/cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd

--
Ease of Attack:
Very simple handcrafted URL.

--
False Positives:
None Known
webdist.cgi may be used for remote administration purposes by systems
administrators.

--
False Negatives:
None Known

--
Corrective Action:
View the captured packet to determine whether this was an attack or
legitimate remote administration.  If it resembles an attack, and the
target runs IRIX, consider launching an investigation.
The existence of sample scripts such as webdist.cgi
may indicate larger security problems with the web server's configuration.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:
CVE:  CVE-1999-0039
BUGTRAQ:  BID 374
URL:  http://www.cert.org/advisories/CA-1997-12.html
