Bugtraq mailing list archives
Sojourn Search Engine exposes files
From: CST () CERBERUS-INFOSEC CO UK (Cerberus Security Team)
Date: Tue, 14 Mar 2000 23:22:26 -0000
Cerberus Information Security Advisory (CISADV000313) http://www.cerberus-infosec.co.uk/advisories.shtml Released: 13th March 2000 Name: Sojourn Search Affected Systems : Any web server running this search engine. Issue: Attackers can read any local file on file system they have read access to. Author: David Litchfield (mnemonix () globalnet co uk) Description *********** The Cerberus Security Team has discovered a weakness in the commercial search engine Sojourn (http://www.generationterrorists.com/sojourn_superuser.html) that allows attackers to read any local file on the file system that they have read access to (as provided by the account the web server is running under). As such, files such as /etc/passwd on Unix systems can be read and files such as the global.asa on Windows NT and 2000. Details ******* Part of the functionality provided by the Sojourn search engine allows the admin of a website to group sites and information in categories and a web user can then search that category with a request of: http://charon/cgi-bin/sojourn.cgi?cat=Arts These categories are actually stored as .txt files -> Arts.txt. The ".txt" is appended to the end of the "cat" parameter and the file is then opened and its contents returned. However the search engine will follow double dots allowing us to break out of the web servers virtual root. At first glance it may seem that only .txt files will be accessible, however, by placing a %00 on the end of the "cat" parameter we can effectively cut off the ".txt" thus being able to open any file. For example http://charon/cgi-bin/sojourn.cgi?cat=../../../../../../etc/passwd%00 will display the contents of the passwd file on UNIX boxes. Solution: ******* The vendor was informed and they have addressed their code and this now appears to be fixed. Until the update can be obtained Cerberus suggests that this search engine be temporarily disabled or removed. A check has been added into our security scanner, CIS. About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 40 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd
Current thread:
- Re: snmp problems still alive... Damir Rajnovic (Mar 10)
- Re: snmp problems still alive... monti (Mar 13)
- Re: snmp problems still alive... Damir Rajnovic (Mar 13)
- Unexpected and dangerous AIX 4.X linker behavior Gregory Neil Shapiro (Mar 14)
- Administrivia Elias Levy (Mar 14)
- Sojourn Search Engine exposes files Cerberus Security Team (Mar 14)
- abuse.man (webmanager kit) Guido Bakker (Mar 15)
- FreeBSD Security Advisory: FreeBSD-SA-00:07.mh FreeBSD Security Officer (Mar 15)
- FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx FreeBSD Security Officer (Mar 15)
- FreeBSD Security Advisory: FreeBSD-SA-00:09.mtr FreeBSD Security Officer (Mar 15)
- FreeBSD Security Advisory: FreeBSD-SA-00:10.orville-write FreeBSD Security Officer (Mar 15)
- Re: snmp problems still alive... monti (Mar 13)