CVE-2004-2640
Description
LinuxStat before 2.3.1's lstat.cgi allows remote attackers to read arbitrary files via directory traversal or absolute path in the template parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LinuxStat before 2.3.1's lstat.cgi allows remote attackers to read arbitrary files via directory traversal or absolute path in the template parameter.
Vulnerability
LinuxStat versions prior to 2.3.1 contain a directory traversal vulnerability in the lstat.cgi script. The template parameter does not properly sanitize user input, allowing an attacker to include files via .. (dot dot) sequences or absolute paths [1].
Exploitation
An unauthenticated remote attacker can send a crafted HTTP request to the lstat.cgi endpoint, providing a malicious template parameter (e.g., ../../etc/passwd or /etc/shadow). The script will then include and output the contents of the specified file [1].
Impact
Successful exploitation allows an attacker to read arbitrary files on the server filesystem. This can lead to disclosure of sensitive information such as configuration files, passwords, or other application data. The attacker does not require any special privileges beyond network access to the CGI script [1].
Mitigation
Upgrade to LinuxStat version 2.3.1 or later, which contains the fix [1]. No workaround is documented in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- secunia.com/advisories/12963nvdPatchVendor Advisory
- www.osvdb.org/11103nvdPatch
- securitytracker.com/idnvdExploit
- www.securityfocus.com/bid/11517nvdExploitPatch
- sourceforge.net/project/shownotes.phpnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/17833nvd
News mentions
0No linked articles in our index yet.