Products: mnogosearch 3.1.20 and 3.2.10 (http://www.mnogosearch.org)
Date: 06 June 2003
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors:	sk_at_scan-associates.net
		shaharil_at_scan-associates.net
		munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: mnogosearch 3.1.20 and 3.2.10 buffer overflow

Description
===========
*mnoGoSearch* (formerly known as *UdmSearch*) is a full-featured web
search engine software for intranet and internet servers..

Details
=======
There is buffer overflow vulnerabilities in mnogosearch 3.1.20 and 3.2.10.

1) Buffer overflow in "ul" variable in 3.1.20

"ul" variable is used to specify search result to specific url. By supplying
crafted "ul" variable more than 5000 user can write arbitrary address and
run command as web server user.

ex:
   http://blablabla.com/cgi-bin/search.cgi?ul=[6000]A`s

proof of concept
----------------
[see attachment: mencari_sebuah_nama.pl]

2) Buffer overflow in "tmplt" variable in 3.2.10
User can crash search.cgi by supplying "tmplt" variable over 1024 character.
This is stack base buffer overflow where eip can easily overwritten.

ex:
    http://blablabla.com/cgi-bin/search.cgi?tmplt=[1050]A`s

proof of concept
----------------
[see attachment: mencari_asal_usul.pl]

Vendor Response
===============
Vendor has been contacted on 01/06/2003 and fix is available from cvs at
http://www.mnogosearch.org.