mnGoSearch, formerly known as UdmSearch, has buffer overflow vulnerabilities in versions 3.1.20 and 3.2.10. In 3.1.20, the ul variable can be overflowed to allow remote command execution as the webserver user id. In 3.2.10, a remote attacker can crash search.cgi by overflowing the tmplt variable.
ac17442c31b15e3413d421ae705ffc5b64ba90f58e3a9a45847804e8ab31da87Products: mnogosearch 3.1.20 and 3.2.10 (http://www.mnogosearch.org)
Date: 06 June 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net
Summary: mnogosearch 3.1.20 and 3.2.10 buffer overflow
Description
===========
*mnoGoSearch* (formerly known as *UdmSearch*) is a full-featured web
search engine software for intranet and internet servers..
Details
=======
There is buffer overflow vulnerabilities in mnogosearch 3.1.20 and 3.2.10.
1) Buffer overflow in "ul" variable in 3.1.20
"ul" variable is used to specify search result to specific url. By supplying
crafted "ul" variable more than 5000 user can write arbitrary address and
run command as web server user.
ex:
http://blablabla.com/cgi-bin/search.cgi?ul=[6000]A`s
proof of concept
----------------
[see attachment: mencari_sebuah_nama.pl]
2) Buffer overflow in "tmplt" variable in 3.2.10
User can crash search.cgi by supplying "tmplt" variable over 1024 character.
This is stack base buffer overflow where eip can easily overwritten.
ex:
http://blablabla.com/cgi-bin/search.cgi?tmplt=[1050]A`s
proof of concept
----------------
[see attachment: mencari_asal_usul.pl]
Vendor Response
===============
Vendor has been contacted on 01/06/2003 and fix is available from cvs at
http://www.mnogosearch.org.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed