SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   RiSearch Vendors:   RiSearch Software
RiSearch/Ri Search Pro Discloses Files to Remote Users and Can Be Used as an Open Proxy
SecurityTracker Alert ID:  1010788
SecurityTracker URL:  http://securitytracker.com/id/1010788
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 27 2004
Impact:   Disclosure of system information, Disclosure of user information, Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Tested on RiSearch 1.0.01, RiSearch Pro 3.2.06
Description:   Several vulnerabilities were reported in RiSearch and RiSearch Pro in 'show.pl'. A remote user can obtain files on the target system that are located outside of the web document directory. A remote user can also invoke the search engine as an open proxy to connect to ports on arbitrary systems.

Information Risk Management reported that a remote user can submit a specially crafted request to view known files on the target system with the privileges of the target web service. A demonstration exploit URL is provided:

http://10.0.0.0/cgi-bin/search/show.pl?url=file:/etc/passwd

It is also reported that a remote user can specify a remote site in the 'url' parameter to view the specified URL (via the search engine site). If the search engine is located behind a firewall and is accessible via a less-trusted network, this may allow a remote user on the less-trusted network to access web sites that are located behind the firewall. A demonstration exploit URL is provided:

http://10.0.0.0/cgi-bin/search/show.pl?url=http://192.168.0.1

It is also possible to access other ports using the HTTP protocol, as shown in the following example:

http://10.0.0.0/cgi-bin/search/show.pl?url=http://localhost:8080

It is also possible to access FTP services, as shown in the following example:

http://10.0.0.0/cgi-bin/search/show.pl?url=ftp://192.168.0.1

The vendor was reportedly notified on July 7, 2004.

Impact:   A remote user can view files on the target system that are located outside of the web document directory. Files can be viewed with the privileges of the target web service.

A remote user can use the search engine as an open proxy to connect to other sites via the search engine host.

Solution:   The vendor has issued fixed versions, available at:

http://www.risearch.org/

Vendor URL:  www.risearch.org (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Tested on Microsoft Windows 2000

Message History:   None.


 Source Message Contents

Subject:  IRM 009: RiSearch and RiSearch ProPro are vulnerable to open FTP/HTTP proxy, directory listings and file disclosure vulnerabilities


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
IRM Security Advisory No. 009

	RiSearch and RiSearch ProPro are vulnerable to open FTP/HTTP proxy, 
	directory listings and file disclosure vulnerabilities

	Vulnerablity Type / Importance: Network Subversion, 
					Open Proxy, Brute-Force Attack

	Arbitrary Filesystem Access / High

	Problem discovered: July 6th 2004
	Vendor contacted: July 7th 2004
	Advisory published: July 27th 2004

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Abstract:
~~~~~~~~~

	The RiSearch (and Pro) Suite is a set of PERL scripts that enables 
users to search web sites.  RiSearch (Pro) is vulnerable to an open proxy 
attack that allows arbitrary access to ports via FTP and HTTP as well as
access to the remote file system (files and directory listings) outside the
web root. 

Description:
~~~~~~~~~~~~

	During a recent security testing engagement it was identified that 
public access was granted to a script show.pl, which grabs a web page and
highlights words in it based on POST/GET variables. The functionality was
originally 
designed to show and highlight pages from the target web site only. 

However it was identified that no access restrictions were applied to 
the script and it was possible to manipulate the variables to make requests
to 
other sites, ports and files.  For example, one could select: -

http://10.0.0.0/cgi-bin/search/show.pl?url=http://www.google.com

and the site would return the Google web site. Unfortunately this means 
that the server is now an open proxy, and it is possible to utilise the
script
to access web servers on the net and masquerade behind the target's site, 
which is very useful for analysing/attacking other servers using web
protocols.

Furthermore, it is also possible to request web sites from private IP 
addresses behind the firewall, for example: - 

http://10.0.0.0/cgi-bin/search/show.pl?url=http://192.168.0.1

or from another port (in this case a Tomcat admin page): -

http://10.0.0.0/cgi-bin/search/show.pl?url=http://localhost:8080

This seriously circumvents the security of any firewall infrastructure 
in place protecting the hosts.

It was also observed that it was possible to gain access to services 
using the FTP protocol using: -

http://10.0.0.0/cgi-bin/search/show.pl?url=ftp://192.168.0.1

Again, potentially compromising any access restrictions in place at the
network layer. It is also possible to use the script to brute-force FTP
accounts behind the firewall using the following: -

http://10.0.0.0/cgi-bin/search/show.pl?url=ftp://username:password@192.168.0
.1

Finally, it transpires that it is also possible to read any file on the
filesystem using the following URL: -

http://10.0.0.0/cgi-bin/search/show.pl?url=file:/etc/passwd

This would show the Operating System password file. Requesting only a
directory provides a handy listing.


Tested Versions:
~~~~~~ ~~~~~~~~~

	RiSearch 1.0.01 
	RiSearch Pro 3.2.06 

Tested Operating Systems:
~~~~~~ ~~~~~~~~~ ~~~~~~~~

	Microsoft Windows 2000

Vendor & Patch Information:
~~~~~~ ~ ~~~~~ ~~~~~~~~~~~~

	RiSearch were contacted on July 7th 2004 and released the update on 
July 8th 2004, which can be downloaded from http://www.risearch.org

Workarounds:
~~~~~~~~~~~~

        Deny browser access to show.pl

Credits:
~~~~~~~~

	Research & Advisory: Phil Robinson, Gerald Gallagher, Kendric Tang

Disclaimer:
~~~~~~~~~~~

	All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at: -

http://www.irmplc.com/advisories

The PGP key used to sign IRM advisories can be obtained from the above
URL, or from keyserver.net and its mirrors.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Information Risk Management Plc.        http://www.irmplc.com
22 Buckingham Gate                      advisories@irmplc.com
London                                  info@irmplc.com
SW1E 6LB

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC