| VID |
21075 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The query CGI program in the AltaVista Search software allows a remote attacker to traverse one level back through the file system by entering a "../" or "%2e%2e/" into the mss argument, doing the request:
GET /cgi-bin/query?mss=%2e%2e/config
This could allow remote retrieval of the AltaVista Search configuration file, which contains sensitive account information. An additional hole in this script allows an attacker to form a request using hexadecimal escapes (i.e. 0.000000E+00) to view any file on the system at an arbitrary directory depth. This vulnerability affect in the AltaVista Search 2.x. |
| Recommendation |
1. edit <install-dir>/httpd/config file and change MGMT_IPSPEC from "0.0.0.0/0" to a specific IP such as "127.0.0.1/32"
2. stop page gathering via management interface
3. restart altavista search service (to re-read config file)
4. restart page gathering if necessary
5. change the username/password through the management interface to bogus information
6. exploit server and download ../logs/mgtstate (puts file in cache)
http://localhost:9000/cgi-bin/query?mss=../logs/mgtstate
7. change the username/password through the management interface to something different (but not used anywhere else)
8. avoid restarting the AltaVista service or clearing the cache |
| Related URL |
CVE-2000-0039 (CVE) |
| Related URL |
896 (SecurityFocus) |
| Related URL |
3754 (ISS) |
|
