Bugtraq mailing list archives
Bug in mnogosearch-3.1.19
From: qitest1 <qitest1 () bespin org>
Date: Sat, 11 May 2002 19:08:15 +0200 (CEST)
qitest1 security advisory #003 Bug in mnogosearch-3.1.19 and prior ----------------------------------------------- PROGRAM DESCRIPTION mnoGoSearch is a full-featured SQL based web search engine, available from http://www.mnogosearch.org. PROBLEM DESCRIPTION When receiving a too long query string (q var), search.cgi segfaults (http://127.0.0.1/cgi-bin/search.cgi?q=query). The bug resides in a bad management of heap-allocated memory. The bug could be abused by remote attackers to execute code with web server privileges. SOLUTION Authors were contacted a month ago: they told me that the cvs version had been fixed. Nevertheless the stable version recommended on their web site is still bugged. At the moment you should disable search.cgi, use the stupid patch attached to this advisory (for 3.1.19) or alternatively install last cvs version. -- ---- q1-- http://qitest1.0xfee1dead.net/ --
Attachment:
mnogosearch-3.1.19.patch
Description:
Current thread:
- Bug in mnogosearch-3.1.19 qitest1 (May 11)