Rule: -- Sid: 2196 -- Summary: This event is generated when an attempt is made to access catgy.cgi on an internal web server. This may indicate an attempt to exploit a cross-site scripting vulnerability in Aktivate e-commerce software. -- Impact: Arbitrary code execution, possible session hijack. -- Detailed Information: Aktivate 1.03 is an e-commerce application for use on Linux and other UNIX-based operating systems. An attacker can craft a URL with malicious code in the "desc" command's argument that passes the commands to catgy.cgi. If a legitimate user activates the URL, malicious code may be executed on the client computer. -- Affected Systems: Systems running Aktivate 1.03. -- Attack Scenarios: An attacker may craft a URL that, when activated by a legitimate user, obtains the user's session cookie, thereby allowing the attacker to pose as the user for the duration of the session. -- Ease of Attack: Simple. A proof of concept exists. -- False Positives: If a legitimate remote user accesses catgy.cgi, this rule may generate an event. -- False Negatives: None known. -- Corrective Action: It is not known if this vulnerability has been fixed. Contact the vendor, Allen & Keul Web Solutions (http://www.allen-keul.net) for more information. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> Sourcefire Technical Publications Team Jennifer Harvey <jennifer.harvey@sourcefire.com> -- Additional References: http://www.securityfocus.com/bid/3714 --