RiSearch show.pl Arbitrary File Access

2004-07-27T03:22:01
ID OSVDB:8266
Type osvdb
Reporter IRM Advisories(advisories@irmplc.com)
Modified 2004-07-27T03:22:01

Description

Vulnerability Description

RiSearch contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an arbitrary local file path is passed to show.pl, which will disclose the file contents resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

RiSearch contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an arbitrary local file path is passed to show.pl, which will disclose the file contents resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/cgi-bin/search/show.pl?url=file:/etc/passwd

References:

Vendor URL: http://www.risearch.org Security Tracker: 1010788 Secunia Advisory ID:12173 Related OSVDB ID: 8265 Packet Storm: http://packetstormsecurity.org/0407-exploits/IRM-009.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0302.html ISS X-Force ID: 16817