OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: qitest1 (qitest1bespin.org)
Date: Sat May 11 2002 - 12:08:15 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

            qitest1 security advisory #003

    Bug in mnogosearch-3.1.19 and prior
    -----------------------------------------------

    PROGRAM DESCRIPTION
    mnoGoSearch is a full-featured SQL based web search engine,
    available from http://www.mnogosearch.org.

    PROBLEM DESCRIPTION
    When receiving a too long query string (q var), search.cgi
    segfaults (http://127.0.0.1/cgi-bin/search.cgi?q=query). The bug
    resides in a bad management of heap-allocated memory. The bug could
    be abused by remote attackers to execute code with web server
    privileges.

    SOLUTION
    Authors were contacted a month ago: they told me that the cvs
    version had been fixed. Nevertheless the stable version
    recommended on their web site is still bugged. At the moment you
    should disable search.cgi, use the stupid patch attached to this
    advisory (for 3.1.19) or alternatively install last cvs version.

    --
    ---- q1-- http://qitest1.0xfee1dead.net/
    --