lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <3EE539F8.1040406@scan-associates.net> From: pokleyzz at scan-associates.net (pokleyzz) Subject: mnogosearch 3.1.20 and 3.2.10 buffer overflow Products: mnogosearch 3.1.20 and 3.2.10 (http://www.mnogosearch.org) Date: 06 June 2003 Author: pokleyzz <pokleyzz_at_scan-associates.net> Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net URL: http://www.scan-associates.net Summary: mnogosearch 3.1.20 and 3.2.10 buffer overflow Description =========== *mnoGoSearch* (formerly known as *UdmSearch*) is a full-featured web search engine software for intranet and internet servers.. Details ======= There is buffer overflow vulnerabilities in mnogosearch 3.1.20 and 3.2.10. 1) Buffer overflow in "ul" variable in 3.1.20 "ul" variable is used to specify search result to specific url. By supplying crafted "ul" variable more than 5000 user can write arbitrary address and run command as web server user. ex: http://blablabla.com/cgi-bin/search.cgi?ul=[6000]A`s proof of concept ---------------- [see attachment: mencari_sebuah_nama.pl] 2) Buffer overflow in "tmplt" variable in 3.2.10 User can crash search.cgi by supplying "tmplt" variable over 1024 character. This is stack base buffer overflow where eip can easily overwritten. ex: http://blablabla.com/cgi-bin/search.cgi?tmplt=[1050]A`s proof of concept ---------------- [see attachment: mencari_asal_usul.pl] Vendor Response =============== Vendor has been contacted on 01/06/2003 and fix is available from cvs at http://www.mnogosearch.org. -------------- next part -------------- A non-text attachment was scrubbed... Name: mencari_sebuah_nama.pl Type: application/x-perl Size: 4883 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030610/435366fb/mencari_sebuah_nama.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: mencari_asal_usul.pl Type: application/x-perl Size: 4001 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030610/435366fb/mencari_asal_usul.bin