AltaVista

[rudicarell () HOTMAIL COM (rudi carell)]

good morning folks,

... "With AltaVista Search Software, you can create your own search and
retrieval Web site with the same relevancy, performance, and efficiency of
the powerful AltaVista Search engine (www.altavista.com) used to index the
World Wide Web"  ...

yes thats true .. but,

if you take a closer look on its functionallity and file-scructure you will
find some interesting things:

the template-variable: {mss} in the main search function (cgi-bin/query?)
allows you one traversal step back and
shows you any file in the "http - directory".

example: http://we.loverudi.org:9000/cgi-bin/query?../config

if you try to go more then one directory back the program escapes {mss} with
"@../" ...

nice try .. but much to late .. the http directory contains some very
interesting files:

../config               ( Var "MGMT_PW=[ Plaintext MGMT-password ]" )
../logs/mgtstate        ( passw=[ encoded mgt-password ]  .. NOT the
MGMT-password !!!)
../logs/stats.log       ( sometimes stats_log )
../logs/access.log      ( sometimes access_log )

forget everything but the "mgtstate" file .. it contains the
username:password
for the online-config tool ( http://we.loverudi.org:9000/cgi-bin/mgt ) in
the form:

passw=[ encoded user:password string ]

pfft .. these guys are really smart .. the encode their passwords ... (
base64:)

now we need a prg/script to decode the user/password - string

---cut here---

#!/usr/bin/perl
use MIME::Base64;
print decode_base64("$ARGV[0]"), "\n";

---cut here---

thank you ...

then start(goto) the online config tool (
http://we.loverudi.org:9000/cgi-bin/mgt )
and do whatever you want ... aso aso aso

have a nice Y2K-BUG

rudicarell () hotmail com

other infos:

vulnerable: altavista search intranet 2.??
type: Input Validation Error
object: query?
remote: yes
vendor: altavista .. got informed ~3 month ago)

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com