Mobileunit Security Advisory 001 - Privacy hole in Go Express Search. Disney's Go Express Search operates an http server at port 1234 without authentication. Remote users can submit search queries, and view queries and personal links left by other users. It's possible to access the configuration interface, which can reveal the e-mail address of the user who registered it. Configuration settings can be changed remotely to, for instance, add, remove or alter personal links.
c9185d378aa41a4e82bd6db449c12e8d7b0a1e1020caecaaac4660d85cd539b4
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<title>001 -- Go Express Search Privacy Hole</title>
</head>
<body bgcolor=#000000 text=#FFFFFF vlink=#FFFF00 alink=#FFFFFF link=#66CCFF >
<div align=right>
<FONT COLOR=#66CCFF>
<B>Mobileunit Security Advisory 001</B>
<BR>
December 12, 1999</FONT></DIV>
<h1 align=center><FONT COLOR=#CC99FF>Privacy hole in Go Express Search</FONT></h1>
<BR>
<B>Description</B>
<BR>
Disney's <A HREF="http://express.go.com/">Go Express Search</A> operates an http
server at port 1234 without authentication. Remote users can submit search queries,
and view queries and personal links left by other users. It's possible to access
the configuration interface, which can reveal the e-mail address of the user who
registered it. Configuration settings can be changed remotely to, for instance,
add, remove or alter personal links.
<P>
<B>Exploit:</B>
<BR>
If "luser.dialup.someisp.com" is running Express Search, visit http://luser.dialup.someisp.com:1234/.
If your web server records the <A HREF="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36">
http Referer header field.</A> (here's how to <A HREF="http://www.apache.org/docs/mod/mod_log_config.html">
enable this</A> in Apache) you can identify Express Search users by the Refer string
"http://localhost:1234/HLPage". By automating this process, you can get the email addresses of
users who find your page through Express Search. (This is similar to the
<A HREF="http://andrew2.andrew.cmu.edu/rfc/rfc1413.html">ident</A> privacy problem on Unix which
has been, unfortunately, covered up to protect ident's utility for tracking third-rate crackers.)
<P>
Express Search users can also be discovered by scanning entire netblocks for TCP port 1234 with a
utility such as <A HREF="http://www.insecure.org/nmap/">nmap.</A>
<P>
<B>Discussion:</B>
<BR>
To prevent attacks, disable Express Search on your computer and wait for a patch from Disney.
This vulnerability was discovered by analysis of server logs from <A HREF="http://www.honeylocust.com/">
www.honeylocust.com:</A> the same method can be used to find users of other applications that act as
personal web servers. Authors of personal web servers should use host-based or other authentication
to prevent similar attacks.
<BR>
<img src="/tran.gif" height=1 width=1 vspace=7>
<div align=center>
© 1999 <A HREF="http://www.honeylocust.com/">Honeylocust Media Systems</A> contact:
<a href="mailto:mobileunit@mobileunit.org">mobileunit@mobileunit.org.</A> Visit
<A HREF="http://www.honeylocust.com/positive/">Positive Propaganda</A>, our directory
of independent web sites and <A HREF="http://www.tapir.org/airstrike/">Airstrike.</A>
</div>
</body>
</html>