Bugtraq mailing list archives
AltaVista
From: rudicarell () HOTMAIL COM (rudi carell)
Date: Wed, 29 Dec 1999 06:52:46 PST
good morning folks, ... "With AltaVista Search Software, you can create your own search and retrieval Web site with the same relevancy, performance, and efficiency of the powerful AltaVista Search engine (www.altavista.com) used to index the World Wide Web" ... yes thats true .. but, if you take a closer look on its functionallity and file-scructure you will find some interesting things: the template-variable: {mss} in the main search function (cgi-bin/query?) allows you one traversal step back and shows you any file in the "http - directory". example: http://we.loverudi.org:9000/cgi-bin/query?../config if you try to go more then one directory back the program escapes {mss} with "@../" ... nice try .. but much to late .. the http directory contains some very interesting files: ../config ( Var "MGMT_PW=[ Plaintext MGMT-password ]" ) ../logs/mgtstate ( passw=[ encoded mgt-password ] .. NOT the MGMT-password !!!) ../logs/stats.log ( sometimes stats_log ) ../logs/access.log ( sometimes access_log ) forget everything but the "mgtstate" file .. it contains the username:password for the online-config tool ( http://we.loverudi.org:9000/cgi-bin/mgt ) in the form: passw=[ encoded user:password string ] pfft .. these guys are really smart .. the encode their passwords ... ( base64:) now we need a prg/script to decode the user/password - string ---cut here--- #!/usr/bin/perl use MIME::Base64; print decode_base64("$ARGV[0]"), "\n"; ---cut here--- thank you ... then start(goto) the online config tool ( http://we.loverudi.org:9000/cgi-bin/mgt ) and do whatever you want ... aso aso aso have a nice Y2K-BUG rudicarell () hotmail com other infos: vulnerable: altavista search intranet 2.?? type: Input Validation Error object: query? remote: yes vendor: altavista .. got informed ~3 month ago) ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Ussr Labs (Dec 27)
- Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1 Steven Alexander (Dec 27)
- Trend Micro InterScan VirusWall SMTP bug asl () USA ALCATEL COM (Dec 27)
- L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1 Mudge (Dec 27)
- UnixWare local pis exploit Brock Tellier (Dec 27)
- Third Party Software Affected by IIS "Escape Character Parsing" V ulnerability Microsoft Product Security Response Team (Dec 28)
- majordomo local exploit Brock Tellier (Dec 28)
- $cf Security flaw Shevek (Dec 02)
- Re: majordomo local exploit Christopher Schulte (Dec 28)
- Re: majordomo local exploit Todd C. Miller (Dec 28)
- AltaVista rudi carell (Dec 29)
- Re: majordomo local exploit Taneli Huuskonen (Dec 29)
- Re: majordomo local exploit Coolio (Dec 29)
- Re: majordomo local exploit Henrik Edlund (Dec 29)
- bna,sh Loneguard (Dec 30)
- Re: majordomo local exploit Andrew Brown (Dec 30)
- Re: majordomo local exploit Henrik Nordstrom (Dec 30)
- Fix for HP-UX automountd/autofs exploit (fwd) Doug Siebert (Dec 30)
- Re: Fix for HP-UX automountd/autofs exploit (fwd) LaMont Jones (Dec 31)
- vibackup.sh Loneguard (Dec 31)
- More info on MS99-061 (IIS escape character vulnerability) .rain.forest.puppy. (Dec 29)