-----BEGIN PGP SIGNED MESSAGE-----

==============================================================================
Security Advisory                                                      CERT-NL
==============================================================================
Author/Source : Peter Jurg                                  Index  :   S-97-31
Distribution  : World                                       Page   :         1
Classification: External                                    Version:         1
Subject       : Vulnerability in webdist.cgi                Date   : 06-mei-97
==============================================================================

By courtesy of CERT Coordination Center we received the following
information.

CERT Coordination Center advisory CA-97.12.webdist reports a vulnerability
in in the webdist.cgi cgi-bin program, part of the IRIX
Mindshare Out Box package, available with IRIX 5.x and 6.x.

This vulnerability allows local and remote users to execute
arbitrary commands with the privileges of the httpd daemon. This may be
used to compromise the http server and under certain configurations gain
privileged access.

Currently there are no official vendor patches available which address the
vulnerability described in this advisory.

CERT-NL recommends to act according to the CERT-CC advisory.

All CERT Coordination Center advisories are mirrored by CERT-NL.
The specific URL for this case is:

<ftp://ftp.surfnet.nl/surfnet/net-security/
cert-cc-mirror/cert_advisories/CA-97.12.webdist>

ADVISORIES ARE REGULARLY UPDATED BY CERT COORDINATION CENTER.
Therefore we advise you to check on our mirror regularly -
you can automate this process using the CERT-NL notifier service.

More information about the CERT-NL mirror and notifier services is
contained in News items N-95-01 (notifier) and N-95-02 (CERT mirror),
both present on
<ftp://ftp.surfnet.nl/surfnet/net-security/cert-nl/docs/news/>

==========================================================================

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related
institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  <http://www.surfnet.nl/surfnet/security/cert-nl.html>
  <ftp://ftp.surfnet.nl/surfnet/net-security>

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==========================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: cp850

iQCVAwUBM3BPcUU5nQkWIq1FAQENfwP/SoDEVrtVWUXGPQx4/UbHgrsNMbu4eaQ3
led2WU5OjOu4CzaZ8RLRFnjrKk5wh6A4P4JeBH4abQMwQdqpt2YPbXIsMANUFLqJ
w8HIsDEoPdOg0hJfM7lmH5vGg9v8wO6VlNOlYHD6l+pLq4BT1lIpfWpHWxAviS5r
WtXquuXe3YA=
=gAZt
-----END PGP SIGNATURE-----