|
Family: CGI abuses --> Category: infos
AltaVista Intranet Search Vulnerability Scan
Vulnerability Scan Summary Checks if query?mss=... reads arbitrary files
Detailed Explanation for this Vulnerability Test
It is possible to read the content of any files on the remote
host (such as your configuration files or other sensitive data)
by using the Altavista Intranet Search service, and performing
the request:
GET /cgi-bin/query?mss=%2e%2e/config
Bugtraq ID : 896
Solution :
- edit /httpd/config file and change MGMT_IPSPEC from
'0.0.0.0/0' to a specific IP such as '127.0.0.1/32'
- stop page gathering via the management interface
- restart Altavista Search Service (to re-read config file)
- restart page gathering if necessary
- change the username/password through the management interface to bogus
information
- exploit server and download ../logs/mgtstate (puts file in cache)
http://localhost:9000/cgi-bin/query?mss=../logs/mgtstate
- change the username/password through the management interface to something
different (but not used anywhere else)
- avoid restarting the Altavista service or clearing the cache
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|