Verity Ultraseek /highlight/index.html Arbitrary Proxy

2006-11-15T00:00:00
ID OSVDB:30286
Type osvdb
Reporter Sullo(sullo@cirt.net)
Modified 2006-11-15T00:00:00

Description

Vulnerability Description

Ultraseek allows attackers to use the highlight feature to load remote pages. Full URLs sent to the "url" parameter of /highlight/index.html will be loaded by the Ultraseek server, then sent to the browser. This can be used to load URLs the web server running Ultraseek can contact which may not be accessible from the client.

Through the same parameter, error messages can determine the existence of hosts, and determine if ports are open. It may also execute script code contained in the loaded HTML.

Technical Description

The "url" parameter of /highlight/index.html is used to load a page which will be highlighted for search terms by the Ultraseek server. The remote page is loaded into a content area of the page sent to the client.

A full URL can be passed through the parameter. This can be used to load pages not accessible from the client but can be seen from the server, for example, http://localhost/server-info or hosts within a DMZ.

This functionality can also be used for host discovery and port scanning. Error messages differ if a host cannot be connected to, or if a port is not open.

Solution Description

Upgrade to version 5.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Ultraseek allows attackers to use the highlight feature to load remote pages. Full URLs sent to the "url" parameter of /highlight/index.html will be loaded by the Ultraseek server, then sent to the browser. This can be used to load URLs the web server running Ultraseek can contact which may not be accessible from the client.

Through the same parameter, error messages can determine the existence of hosts, and determine if ports are open. It may also execute script code contained in the loaded HTML.

Manual Testing Notes

http://[victim]/highlight/index.html?url=http%3A//[remotesite]/&fterm=string&la=en

References:

Secunia Advisory ID:22892 Related OSVDB ID: 30289 Related OSVDB ID: 30287 Related OSVDB ID: 30288 Other Advisory URL: http://zerodayinitiative.com/advisories/ZDI-06-042.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-11/0289.html ISS X-Force ID: 30311 CVE-2006-5819