what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SLA-16.MasterIndex.txt

SLA-16.MasterIndex.txt
Posted Oct 11, 2000
Authored by synnergy, Kostas Petrakis | Site synnergy.net

Synnergy Laboratories Advisory SLA-2000-16 - Synnergy Labs has found a flaw within Master Index for Linux/UNIX that allows a user to successfully traverse the filesystem on a remote host, allowing arbitary files/folders to be read. Exploit URL included. Fix available here.

tags | exploit, remote
systems | linux, unix
SHA-256 | a23909da35478f6a2095d6d342fb63d5f4accfbcc2879f4add37f28616e828c3

SLA-16.MasterIndex.txt

Change Mirror Download
        Synnergy Laboratories Advisory SLA-2000-16

NAME

Master Index directory traversal vulnerability

AFFECTED

Linux/UNIX with Master Index

SYNOPSIS

Synnergy Labs has found a flaw within Master Index that allows a user to successfully
traverse the filesystem on a remote host, allowing arbitary files/folders to be
read.


DESCRIPTION

Master Index is a professional search engine such as Yahoo and Alta Vista.
This search engine supports loads of features. Admins can set script to automatically
add submissions or wait until confirmed by the admin, users can edit and delete their
listings, admins can add/edit/delete categories and sub-categories, and supports
unlimited listings. Product pricing is $199.95 US

Master Index can be found at:http://www.armadastyle.com/masterindex.html

Synnergy has recently discovered a flaw within Master Index that allows a remote user
to traverse the filesystem as a request to the script using the
$catigory=_some_dir_variable. It is then possible to read any file or folder's contents
with priviledges as the httpd.

Example:

http://www.target.com/cgi-bin/search/search.cgi?keys=*&prc=any&catigory=../../../../../../../../etc

The above line if given will output all the directories and the file contents, that are
nested within /etc directory. Other more sinister content can be revealed from there.

Due to the commercial license of the product we where unable to check the code for the
exact bug, or even for the discovery of more bugs.


SOLUTION

The vendors have been informed of the bug. It is advised to wait for the next patched
version of Master Index to be released.


AUTHOR

Discovery: pestilence @ synnergy.net


DISCLAIMER

Synnergy Laboratories may not be held liable for the use or potential
effects of these programs or advisories, nor the content contained
within. Use them at your own risk.

COPYRIGHT

Synnergy Laboratories - www.synnergy.net (c) 1998-2000

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    11 Files
  • 8
    Dec 8th
    36 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close