Steve Grimm Un-CGI Directory Traversal Vulnerability

Steve Grimm Un-CGI Directory Traversal Vulnerability

Un-CGI is a free CGI Wrapper application. Its function is to parse URL encoded input and translate it for use by CGI applications. It may be used as a library or as a stand-alone executable.

A problem exists with the Un-CGI executable. It does not filter '../' sequences from user-supplied input. Thus it is possible to access arbitrary web-readable files on the host, which may disclose sensitive information to remote attackers.

It is also possible to use this vulnerability to remotely execute other scripts located on the host.