Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IRM Security Advisory 9

🗓️ 28 Jul 2004 00:00:00Reported by IRM ResearchType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

RiSearch and RiSearch ProPro suffer from open proxy and file disclosure vulnerabilities.

Code
`=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
IRM Security Advisory No. 009  
  
RiSearch and RiSearch ProPro are vulnerable to open FTP/HTTP proxy,   
directory listings and file disclosure vulnerabilities  
  
Vulnerablity Type / Importance: Network Subversion,   
Open Proxy, Brute-Force Attack  
  
Arbitrary Filesystem Access / High  
  
Problem discovered: July 6th 2004  
Vendor contacted: July 7th 2004  
Advisory published: July 27th 2004  
  
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
  
Abstract:  
~~~~~~~~~  
  
The RiSearch (and Pro) Suite is a set of PERL scripts that enables   
users to search web sites. RiSearch (Pro) is vulnerable to an open proxy   
attack that allows arbitrary access to ports via FTP and HTTP as well as  
access to the remote file system (files and directory listings) outside the  
web root.   
  
Description:  
~~~~~~~~~~~~  
  
During a recent security testing engagement it was identified that   
public access was granted to a script show.pl, which grabs a web page and  
highlights words in it based on POST/GET variables. The functionality was  
originally   
designed to show and highlight pages from the target web site only.   
  
However it was identified that no access restrictions were applied to   
the script and it was possible to manipulate the variables to make requests  
to   
other sites, ports and files. For example, one could select: -  
  
http://10.0.0.0/cgi-bin/search/show.pl?url=http://www.google.com  
  
and the site would return the Google web site. Unfortunately this means   
that the server is now an open proxy, and it is possible to utilise the  
script  
to access web servers on the net and masquerade behind the target's site,   
which is very useful for analysing/attacking other servers using web  
protocols.  
  
Furthermore, it is also possible to request web sites from private IP   
addresses behind the firewall, for example: -   
  
http://10.0.0.0/cgi-bin/search/show.pl?url=http://192.168.0.1  
  
or from another port (in this case a Tomcat admin page): -  
  
http://10.0.0.0/cgi-bin/search/show.pl?url=http://localhost:8080  
  
This seriously circumvents the security of any firewall infrastructure   
in place protecting the hosts.  
  
It was also observed that it was possible to gain access to services   
using the FTP protocol using: -  
  
http://10.0.0.0/cgi-bin/search/show.pl?url=ftp://192.168.0.1  
  
Again, potentially compromising any access restrictions in place at the  
network layer. It is also possible to use the script to brute-force FTP  
accounts behind the firewall using the following: -  
  
http://10.0.0.0/cgi-bin/search/show.pl?url=ftp://username:[email protected]  
.1  
  
Finally, it transpires that it is also possible to read any file on the  
filesystem using the following URL: -  
  
http://10.0.0.0/cgi-bin/search/show.pl?url=file:/etc/passwd  
  
This would show the Operating System password file. Requesting only a  
directory provides a handy listing.  
  
  
Tested Versions:  
~~~~~~ ~~~~~~~~~  
  
RiSearch 1.0.01   
RiSearch Pro 3.2.06   
  
Tested Operating Systems:  
~~~~~~ ~~~~~~~~~ ~~~~~~~~  
  
Microsoft Windows 2000  
  
Vendor & Patch Information:  
~~~~~~ ~ ~~~~~ ~~~~~~~~~~~~  
  
RiSearch were contacted on July 7th 2004 and released the update on   
July 8th 2004, which can be downloaded from http://www.risearch.org  
  
Workarounds:  
~~~~~~~~~~~~  
  
Deny browser access to show.pl  
  
Credits:  
~~~~~~~~  
  
Research & Advisory: Phil Robinson, Gerald Gallagher, Kendric Tang  
  
Disclaimer:  
~~~~~~~~~~~  
  
All information in this advisory is provided on an 'as is'  
basis in the hope that it will be useful. Information Risk Management  
Plc is not responsible for any risks or occurrences caused  
by the application of this information.  
  
A copy of this advisory may be found at: -  
  
http://www.irmplc.com/advisories  
  
The PGP key used to sign IRM advisories can be obtained from the above  
URL, or from keyserver.net and its mirrors.  
  
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
Information Risk Management Plc. http://www.irmplc.com  
22 Buckingham Gate [email protected]  
London [email protected]  
SW1E 6LB  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Jul 2004 00:00Current
0.5Low risk
Vulners AI Score0.5
open proxy attackarbitrary filesystem accessnetwork subversionbrute-force attackscript vulnerability
28