CVE-2001-0949

Name of the Vulnerable Software and Affected Versions ValiCert Enterprise Validation Authority (EVA) Administration Server versions 3.3 through 4.2.1

Description The issue allows remote attackers to execute arbitrary code via long arguments to various parameters, including Mode, Certificate File, useExpiredCRLs, listenLength, maxThread, maxConnPerSite, maxMsgLen, exitTime, blockTime, nextUpdatePeriod, buildLocal, maxOCSPValidityPeriod, extension, and a particular combination of parameters associated with private key generation.

Recommendations For ValiCert Enterprise Validation Authority (EVA) Administration Server versions 3.3 through 4.2.1, consider restricting access to the forms.exe CGI program to minimize the risk of exploitation. As a temporary workaround, limit the length of arguments passed to the vulnerable parameters until a patch is available.