CVE-1999-1053
HIGH severity · CVSS 7.5
7.5CVSS HIGH
Summary
guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->".
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)91%
AV:N/AC:L/Au:N/C:P/I:P/A:P
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: http://www.securityfocus.com/bid/776 ↗
Additional information
- NVD record
- http://www.securityfocus.com/bid/776Patch
- http://www.securityfocus.com/bid/776Patch
- http://www.securityfocus.com/archive/1/33674Advisory
- http://www.securityfocus.com/archive/82/27296Advisory
- http://www.securityfocus.com/archive/82/27560Advisory
- http://www.securityfocus.com/archive/1/33674Advisory
- http://www.securityfocus.com/archive/82/27296Advisory
- http://www.securityfocus.com/archive/82/27560Advisory