OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: SOJOURN Search engine exposes files
From: David Litchfield (d.litchfieldCERBERUS-INFOSEC.CO.UK)
Date: Mon Mar 13 2000 - 10:13:44 CST


Cerberus Information Security Advisory
(CISADV000313)http://www.cerberus-infosec.co.uk/advisories.html
Released : 13th March 2000Name : Sojourn
SearchAffected Systems : Any web server running this search engine.Issue
: Attackers can read any local file on file system they have read access to.
Author : David Litchfield (mnemonixglobalnet.co.uk)
Description***********The Cerberus Security Team has discovered a weakness
in the commercial search engine Sojourn
(http://www.generationterrorists.com/sojourn_superuser.html) that allows
attackers toread any local file on the file system that they have read
access to (as provided bythe account the web server is running under). As
such, files such as /etc/passwd on Unixsystems can be read and files such as
the global.asa on Windows NT and 2000.
Details*******Part of the functionality provided by the Sojourn search
engine allows the adminof a website to group sites and information in
categories and a web usercan then search that category with a request of:
http://charon/cgi-bin/sojourn.cgi?cat=Arts
These categories are actually stored as .txt files -> Arts.txt.The ".txt" is
appended to the end of the "cat" parameter and the file is then opened and
its contents returned. However the search engine will follow double dots
allowing us to break out of the web servers virtual root. At first glance it
may seem that only .txt files will be accessible, however, by placing a %00
on the end of the "cat" parameter we can effectively cut off the ".txt" thus
being able to open any file. For example
http://charon/cgi-bin/sojourn.cgi?cat=../../../../../../etc/passwd%00
will display the contents of the passwd file on UNIX boxes.
Solution:*******The vendor was informed and they have addressed their code
and this nowappears to be fixed. Until the update can be obtained Cerberus
suggeststhat this search engine be temporarily disabled or removed. A check
hasbeen added into our security scanner, CIS.
About Cerberus Information Security,
Ltd********************************Cerberus Information Security, Ltd, a UK
company, are specialists inpenetration testing and other security auditing
services. They are thedevelopers of CIS (Cerberus' Internet security
scanner) available for freefrom their website:
http://www.cerberus-infosec.co.uk
To ensure that the Cerberus Security Team remains one of the
strongestsecurity audit teams available globally they continually research
operatingsystem and popular service software vulnerabilites leading to the
discoveryof "world first" issues. This not only keeps the team sharp but
also helpsthe industry and vendors as a whole ultimately protecting the end
consumer.As testimony to their ability and expertise one just has to look at
exactlyhow many major vulnerabilities have been discovered by the Cerberus
SecurityTeam - over 40 to date, making them a clear leader of companies
offeringsuch security services.
Founded in late 1999, by Mark and David Litchfield, Cerberus
InformationSecurity, Ltd are located in London, UK but serves customers
across theWorld. For more information about Cerberus Information Security,
Ltd pleasevisit their website or call on +44(0) 181 661 7405
Permission is hereby granted to copy or redistribute this advisory but
onlyin its entirety.
Copyright (C) 2000 by Cerberus Information Security, Ltd