HAMweather Weather Reporting CGI Security Hole May Disclose Files to Remote Users
|
|
SecurityTracker Alert ID: 1005270 |
|
SecurityTracker URL: http://securitytracker.com/id/1005270
|
|
CVE Reference:
CVE-2002-2356
(Links to External Site)
|
Updated: Jun 3 2008
|
Original Entry Date: Sep 23 2002
|
Impact:
Disclosure of system information, Disclosure of user information, User access via network
|
Vendor Confirmed: Yes
|
Version(s): 2.x
|
Description:
A vulnerability was reported in the web administration utility for the HAMweather CGI weather script. A remote user may be able to gain administrative control over the application and view files on the system.
It is reported that if the hwadmin.cgi is not installed in a secure directory on the web server, a remote user can gain administrative access to the application. With administrative access, the remote user can change various HAMweather 2.x settings. This could cause HAMweather 2.x to disclose potentially sensitive files on the server to remote users.
HAMweather 3.x is reportedly not affected by this vulnerability.
|
Impact:
A remote user can gain administrative access to the utility. A remote user can view files on the system.
|
Solution:
The vendor is reportedly working on a patch and recommends one or all of the following steps:
"1. Put the hwadmin.cgi in a secure directory. This is a directory that is either not available over the open web and/or requires a username
password to access. This is most easily done on many servers using an .htaccess file.
2. When not in use change the file permissions of the hwadmin.cgi so that the web server cannot execute the file. Usually this would be a
chmod 644, but the actual setting would depend on your web server's configuration.
3. For highest security remove the hwadmin.cgi from the server.
4. Upgrade to HAMweather 3.x as it is not affected by this securty hole since it does not include a web based administration."
|
Vendor URL: www.hamweather.net/hw3/hw2securityalert.shtml (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 23 Sep 2002 02:35:18 -0400
Subject: HAMweather bug
|
http://www.hamweather.net/hw3/hw2securityalert.shtml
HAMweather LLC issued a security alert for HAMweather 2.x, warning that
there is a security hole in the HAMweather 2.x web administration
utility.
It is reported that if the hwadmin.cgi is not installed in a secure
directory on the web server, a remote user can gain administrative
access to the application. With administrative access, the remote user
can change various HW2 settings. This could cause HAMweather 2.x to
disclose potentially sensitive files on the server to remote users.
The vendor recommends one or all of the following steps:
"1. Put the hwadmin.cgi in a secure directory. This is a directory that
is either not available over the open web and/or requires a username
password to access. This is most easily done on many servers using an
.htaccess file.
2. When not in use change the file permissions of the hwadmin.cgi so
that the web server cannot execute the file. Usually this would be a
chmod 644, but the actual setting would depend on your web server's
configuration.
3. For highest security remove the hwadmin.cgi from the server.
4. Upgrade to HAMweather 3.x as it is not affected by this securty hole
since it does not include a web based administration."
The vendor is working on a patch.
HAMweather 3.x is reportedly not affected by this vulnerability.
|
|
