[Plugins-writers] Inktomi Search Vulnerability

From: Sarju Bhagat (sarju@private)
Date: Tue Jul 06 2004 - 03:38:49 PDT 

Hi,

Discovered vulnerability in an old version of Inktomi Search,
requests using MS-DOS special file names such as nul can cause a
python error which contain physical path of the webroot.

The vulnerability has been fixed in most recent version.

I have attached the test.

Regards

-- 
Sarju Bhagat
Software Engineer
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: sarju@private
web: www.westpoint.ltd.uk 



#
# This script was written by Sarju Bhagat <sarju@private>
#
# See the Nessus Scripts License for details
#

if(description)
{
 script_id(90008);
 script_bugtraq_id(8050);

 name["english"] = "Inktomi Search Physical Path Disclosure";
 script_name(english:name["english"]);

 script_version ("$Revision: 1.0 $");
 desc["english"] = "
This web server is running a vulnerable version of Inktomi Search

Certain requests using MS-DOS special file names such as nul can cause
a python error. The error message contains sensitive information such
as the physical path of the webroot. This information may be useful to
an attacker.

Solution :
 Upgrade to the latest version. This product is now devloped by Verity
 and is called Ultraseek

Risk factor : Low";
 script_description(english:desc["english"]);

 summary["english"] = "Checks for a Inktomi Search vulnerability";
 script_summary(english:summary["english"]);

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2004 Westpoint Limited",
    francais:"Ce script est Copyright (C) 2004 Westpoint Limited");
 family["english"] = "CGI abuses";
 family["francais"] = "Abus de CGI";
 script_family(english:family["english"], francais:family["francais"]);
 script_dependencie("find_service.nes");
 script_require_ports("Services/www", 8765);
 exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");

#
# The script code starts here
#

port = get_http_port(default:8765);
if(!get_port_state(port))exit(0);

req = http_get(item:"/nul", port:port);
res = http_keepalive_send_recv(port:port, data:req);

webroot = egrep(pattern:"directory", string:res);
if(webroot)
{
  webroot = ereg_replace(string:webroot, pattern:"^.*'(.*)'.*$", replace:"\1");
  report = "
This web server is running a vulnerable version of Inktomi Search

Certain requests using MS-DOS special file names such as nul can cause
a python error. The error message contains sensitive information such
as the physical path of the webroot. This information may be useful to
an attacker.

The remote web root is : " + webroot + "

Solution :
 Upgrade to the latest version. This product is now devloped by Verity
 and is called Ultraseek

Risk factor : Low";
  security_warning(port:port, data:report);
}


_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers

This archive was generated by hypermail 2.1.3 : Tue Jul 06 2004 - 03:57:16 PDT