Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Sojourn Search Engine exposes files

From: CST () CERBERUS-INFOSEC CO UK (Cerberus Security Team)
Date: Tue, 14 Mar 2000 23:22:26 -0000

Cerberus Information Security Advisory (CISADV000313)
http://www.cerberus-infosec.co.uk/advisories.shtml

Released: 13th March 2000
Name: Sojourn Search
Affected Systems     : Any web server running this search engine.
Issue: Attackers can read any local file on file system they
         have read access to.

Author: David Litchfield (mnemonix () globalnet co uk)

Description
***********
The Cerberus Security Team has discovered a weakness in the commercial
search engine Sojourn
(http://www.generationterrorists.com/sojourn_superuser.html) that allows
attackers to
read any local file on the file system that they have read access to (as
provided by
the account the web server is running under). As such, files such as
/etc/passwd on Unix
systems can be read and files such as the global.asa on Windows NT and 2000.

Details
*******
Part of the functionality provided by the Sojourn search engine allows the
admin
of a website to group sites and information in categories and a web user
can then search that category with a request of:

http://charon/cgi-bin/sojourn.cgi?cat=Arts

These categories are actually stored as .txt files -> Arts.txt.
The ".txt" is appended to the end of the "cat" parameter and the file is
then opened and its contents returned. However the search engine will
follow double dots allowing us to break out of the web servers virtual
root. At first glance it may seem that only .txt files will be accessible,
however, by placing a %00 on the end of the "cat" parameter we can
effectively cut off the ".txt" thus being able to open any file. For example

http://charon/cgi-bin/sojourn.cgi?cat=../../../../../../etc/passwd%00

will display the contents of the passwd file on UNIX boxes.

Solution:
*******
The vendor was informed and they have addressed their code and this now
appears to be fixed. Until the update can be obtained Cerberus suggests
that this search engine be temporarily disabled or removed. A check has
been added into our security scanner, CIS.

About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of  "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 40 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 181 661 7405

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd
Previous By Date Next
Previous By Thread Next

Current thread: