hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Risearch And Risearch Propro Are Vulnerable
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Jul 29 2004, 10:33 PM
QUOTE


Abstract:
~~~~~~~~~

        The RiSearch (and Pro) Suite is a set of PERL scripts that enables
users to search web sites.  RiSearch (Pro) is vulnerable to an open proxy
attack that allows arbitrary access to ports via FTP and HTTP as well as
access to the remote file system (files and directory listings) outside the
web root.

Description:
~~~~~~~~~~~~

        During a recent security testing engagement it was identified that
public access was granted to a script show.pl, which grabs a web page and
highlights words in it based on POST/GET variables. The functionality was
originally
designed to show and highlight pages from the target web site only.

However it was identified that no access restrictions were applied to
the script and it was possible to manipulate the variables to make requests
to
other sites, ports and files.  For example, one could select: -

http://10.0.0.0/cgi-bin/search/show.pl?url.../www.google.com

and the site would return the Google web site. Unfortunately this means
that the server is now an open proxy, and it is possible to utilise the
script
to access web servers on the net and masquerade behind the target's site,
which is very useful for analysing/attacking other servers using web
protocols.

Furthermore, it is also possible to request web sites from private IP
addresses behind the firewall, for example: -

http://10.0.0.0/cgi-bin/search/show.pl?url...p://192.168.0.1

or from another port (in this case a Tomcat admin page): -

http://10.0.0.0/cgi-bin/search/show.pl?url.../localhost:8080

This seriously circumvents the security of any firewall infrastructure
in place protecting the hosts.

It was also observed that it was possible to gain access to services
using the FTP protocol using: -

http://10.0.0.0/cgi-bin/search/show.pl?url=ftp://192.168.0.1

Again, potentially compromising any access restrictions in place at the
network layer. It is also possible to use the script to brute-force FTP
accounts behind the firewall using the following: -

http://10.0.0.0/cgi-bin/search/show.pl?url...sword@192.168.0
.1

Finally, it transpires that it is also possible to read any file on the
filesystem using the following URL: -

http://10.0.0.0/cgi-bin/search/show.pl?url=file:/etc/passwd

This would show the Operating System password file. Requesting only a
directory provides a handy listing.


Tested Versions:
~~~~~~ ~~~~~~~~~

        RiSearch 1.0.01
        RiSearch Pro 3.2.06

Tested Operating Systems:
~~~~~~ ~~~~~~~~~ ~~~~~~~~

        Microsoft Windows 2000



Link is unavailable
Sent by mailing list
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.