qitest1 security advisory #003 Bug in mnogosearch-3.1.19 and prior ----------------------------------------------- PROGRAM DESCRIPTION mnoGoSearch is a full-featured SQL based web search engine, available from http://www.mnogosearch.org. PROBLEM DESCRIPTION When receiving a too long query string (q var), search.cgi segfaults (http://127.0.0.1/cgi-bin/search.cgi?q=query). The bug resides in a bad management of heap-allocated memory. The bug could be abused by remote attackers to execute code with web server privileges. SOLUTION Authors were contacted a month ago: they told me that the cvs version had been fixed. Nevertheless the stable version recommended on their web site is still bugged. At the moment you should disable search.cgi, use the stupid patch attached to this advisory (for 3.1.19) or alternatively install last cvs version. -- ---- q1-- http://qitest1.0xfee1dead.net/ --
This archive was generated by hypermail 2b30 : Sat May 11 2002 - 12:07:03 PDT