| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <15d7f8510609220114k76ecdd5am2260f848b6ad7e7d@mail.gmail.com> Date: Fri, 22 Sep 2006 18:14:14 +1000 From: "Patrick Webster" <patrick@...hack.com> To: bugtraq@...urityfocus.com Subject: Google Mini Search Applicance Path Disclosure aushack.com - Vulnerability Advisory ----------------------------------------------- Release Date: 22-Sep-2006 Software: Google Inc - Google Mini Search Appliance http://www.google.com.au/enterprise/mini/index.html "The Google Mini delivers cost-effective, high-quality search for your public website, intranet, and file servers, and you can be up and running in less than an hour." Versions affected: 4.4.102.M.36 and below. Vulnerability discovered: Reveal web server path. Vulnerability impact: Low - Web server path disclosure. Vulnerability information: User controlled 'client' value. Example (lines may be wrapped): http://mini.site.com.au/search?q=test&client=showmethepathalready Would return the error: "/export/hda3/4.4.102.M.36/local/conf/frontends/showmethepathalready /domain_filter (No such file or directory)" May be able to break out, but not yet found. Fuzz anyone? References: aushack.com advisory http://www.aushack.com/advisories/200609-googlemini.txt Credit: Patrick Webster ( patrick@...hack.com ) Disclosure timeline: 22-Sep-2006 - Disclosure. EOF
Powered by blists - more mailing lists