lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: pokleyzz at scan-associates.net (pokleyzz)
Subject: mnogosearch 3.1.20 and 3.2.10 buffer overflow

Products: mnogosearch 3.1.20 and 3.2.10 (http://www.mnogosearch.org)
Date: 06 June 2003
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors:	sk_at_scan-associates.net
		shaharil_at_scan-associates.net
		munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: mnogosearch 3.1.20 and 3.2.10 buffer overflow

Description
===========
*mnoGoSearch* (formerly known as *UdmSearch*) is a full-featured web
search engine software for intranet and internet servers..

Details
=======
There is buffer overflow vulnerabilities in mnogosearch 3.1.20 and 3.2.10.

1) Buffer overflow in "ul" variable in 3.1.20

"ul" variable is used to specify search result to specific url. By supplying
crafted "ul" variable more than 5000 user can write arbitrary address and
run command as web server user.

ex:
    http://blablabla.com/cgi-bin/search.cgi?ul=[6000]A`s

proof of concept
----------------
[see attachment: mencari_sebuah_nama.pl]

2) Buffer overflow in "tmplt" variable in 3.2.10
User can crash search.cgi by supplying "tmplt" variable over 1024 character.
This is stack base buffer overflow where eip can easily overwritten.

ex:
     http://blablabla.com/cgi-bin/search.cgi?tmplt=[1050]A`s

proof of concept
----------------
[see attachment: mencari_asal_usul.pl]

Vendor Response
===============
Vendor has been contacted on 01/06/2003 and fix is available from cvs at
http://www.mnogosearch.org.






-------------- next part --------------
A non-text attachment was scrubbed...
Name: mencari_sebuah_nama.pl
Type: application/x-perl
Size: 4883 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030610/435366fb/mencari_sebuah_nama.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mencari_asal_usul.pl
Type: application/x-perl
Size: 4001 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030610/435366fb/mencari_asal_usul.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ