Detections
Analytics
CGI Generic Format String
high Nessus Plugin ID 42055
Language:
Synopsis
Arbitrary code may be run on the remote server.Description
The remote web server hosts CGI scripts that fail to adequately sanitize request strings. They seem to be vulnerable to a 'format string' attack. By leveraging this issue, an attacker may be able to execute arbitrary code on the remote host subject to the privileges under which the web server operates.Please inspect the results as this script is prone to false positives.
Solution
Restrict access to the vulnerable application / scripts. And contact the vendor for a patch or upgrade.See Also
https://en.wikipedia.org/wiki/Format_string_attack
http://projects.webappsec.org/w/page/13246926/Format%20String
Plugin Details
Severity: High
ID: 42055
File Name: torture_cgi_format_string.nasl
Version: 1.19
Type: remote
Family: CGI abuses
Published: 10/7/2009
Updated: 1/19/2021
Configuration: Enable paranoid mode
Supported Sensors: Nessus
Vulnerability Information
Required KB Items: Settings/ParanoidReport, Settings/enable_web_app_tests