OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: Follow UP AltaVista

Re: Follow UP AltaVista

Subject: Re: Follow UP AltaVista
From: AVsearch (AVsearchAND.AV.COM)
Date: Thu Dec 30 1999 - 13:33:06 CST

To disable this security hole temporarily, until a patch is
available later today, follow the steps detailed below.

Unfortunately, AltaVista was just apprised of this problem today.
(It is not clear who at AltaVista was contacted ~3 months ago.)

Regards,
AltaVista Engineering
---------------------

Full steps would be:

- edit <install-dir>/httpd/config file and change MGMT_IPSPEC from
"0.0.0.0/0" to a specific IP such as "127.0.0.1/32"
- stop page gathering via management interface
- restart altavista search service (to re-read config file)
- restart page gathering if necessary
- change the username/password through the management interface to bogus
information
- exploit server and download ../logs/mgtstate (puts file in cache)
  http://localhost:9000/cgi-bin/query?mss=../logs/mgtstate
- change the username/password through the management interface to something
different (but not used anywhere else)
- avoid restarting the AltaVista service or clearing the cache

Now when a user grabs the file, they will get the old cached information
which
is now invalid. This will last for as long as the mgtstate file stays in
the mhttpd's cache (until the service is restarted again).

This archive was generated by hypermail 2b27 : Fri Dec 31 1999 - 02:01:24 CST