Problem:
MondoSearch is web site search engine made by MondoSoft.
MsmSetup.exe is one of the programs in the default installation. This
program contains a vulnerability that makes it possible to create files
with user specified content on the webserver or anywhere else, where the
executing user (typically IUSR_xxx) has write access.
Details:
The vulnerability occurs when the Msmsetup.exe is called with a
specially crafted querystring.
Impact:
It is possible for a malicious user to, create and execute arbitrary ASP
code on the server. This could in turn, lead to a full compromise of the
server.
Corrective actions:
MondoSoft has released a patch for this issue.
http://www.mondosoft.com/security
Disclaimer:
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an "AS IS" condition.
There are NO warranties with regard to this information. In no event
shall PROTEGO be liable for any consequences or damages, including
direct, indirect, incidental, consequential, loss of business profits or
special damages, arising out of or in connection with the use or spread
of this information. Any use of this information lies within the user's
responsibility. All registered and unregistered trademarks represented
in this document are the sole property of their respective owners.
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
{"id": "SECURITYVULNS:DOC:5152", "bulletinFamily": "software", "title": "[Full-Disclosure] MondoSoft File Creation vulnerability", "description": "PROTEGO Security Advisory #PSA200302 \r\nTopic: MondoSoft File Creation vulnerability\r\nApplication : MondoSearch 4.4, 5.0, and 5.1\r\nAuthor: Jens H. Christensen (jhc at protego.dk)\r\nAdvisory URL: http://www.protego.dk/advisories/200302.html\r\nIdentifiers: CERT: VU# 756556\r\nVendor Name: MondoSoft \r\nVendor URL: http://www.mondosoft.com\r\nVendor contacted: 15-Sep-2003\r\nPublic release: 24-Sep-2003\r\n\r\nProblem:\r\nMondoSearch is web site search engine made by MondoSoft.\r\n\r\nMsmSetup.exe is one of the programs in the default installation. This\r\nprogram contains a vulnerability that makes it possible to create files\r\nwith user specified content on the webserver or anywhere else, where the\r\nexecuting user (typically IUSR_xxx) has write access.\r\n\r\nDetails:\r\nThe vulnerability occurs when the Msmsetup.exe is called with a\r\nspecially crafted querystring.\r\n\r\nImpact:\r\nIt is possible for a malicious user to, create and execute arbitrary ASP\r\ncode on the server. This could in turn, lead to a full compromise of the\r\nserver. \r\n\r\nCorrective actions:\r\nMondoSoft has released a patch for this issue.\r\nhttp://www.mondosoft.com/security \r\n\r\nDisclaimer:\r\nThe information within this document may change without notice. Use of\r\nthis information constitutes acceptance for use in an "AS IS" condition.\r\nThere are NO warranties with regard to this information. In no event\r\nshall PROTEGO be liable for any consequences or damages, including\r\ndirect, indirect, incidental, consequential, loss of business profits or\r\nspecial damages, arising out of or in connection with the use or spread\r\nof this information. Any use of this information lies within the user's\r\nresponsibility. All registered and unregistered trademarks represented\r\nin this document are the sole property of their respective owners. \r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "published": "2003-09-24T00:00:00", "modified": "2003-09-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5152", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:08", "edition": 1, "viewCount": 6, "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2018-08-31T11:10:08", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2595", "CVE-2009-5152", "CVE-2018-5152", "CVE-2015-9286", "CVE-2008-7273", "CVE-2019-5152", "CVE-2008-7272"]}, {"type": "talos", "idList": ["TALOS-2019-0942"]}, {"type": "nessus", "idList": ["MACOS_FIREFOX_60_0_0.NASL", "UBUNTU_USN-3645-2.NASL", "UBUNTU_USN-3645-1.NASL", "FREEBSD_PKG_7862213C515211E98B26A4BADB296695.NASL", "SUSE_SU-2019-2872-1.NASL", "MOZILLA_FIREFOX_60_0_0.NASL"]}, {"type": "freebsd", "idList": ["7862213C-5152-11E9-8B26-A4BADB296695"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813357", "OPENVAS:1361412562310843527", "OPENVAS:1361412562310843521"]}, {"type": "ubuntu", "idList": ["USN-3645-2", "USN-3645-1"]}], "modified": "2018-08-31T11:10:08", "rev": 2}, "vulnersScore": 6.8}, "affectedSoftware": [], "immutableFields": []}
{"rst": [{"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **njzajj[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **45**.\n First seen: 2021-04-02T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **generic**.\nIt was found that the IOC is used by: **virut**.\nDomain has DNS A records: 107[.]186.96.244\nWhois:\n Created: 2020-10-07 18:32:29, \n Registrar: Crisp Names LLC, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-02T00:00:00", "id": "RST:B7719F28-5152-3220-B71F-4D48469AA1EE", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: njzajj.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **alignmental[.]net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-01-18T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-18T00:00:00", "id": "RST:B58C0F54-5152-36FE-98DE-A8C4C131838D", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: alignmental.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **47[.]98.232.243** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2021-03-05T03:00:00, Last seen: 2021-04-16T03:00:00.\n IOC tags: **generic**.\nASN 37963: (First IP 47.92.0.0, Last IP 47.108.108.255).\nASN Name \"CNNICALIBABACNNETAP\" and Organisation \"Hangzhou Alibaba Advertising CoLtd\".\nASN hosts 2769895 domains.\nGEO IP information: City \"\", Country \"China\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-05T00:00:00", "id": "RST:026544C3-5152-30D8-A016-534AD8E1F40B", "href": "", "published": "2021-04-17T00:00:00", "title": "RST Threat feed. IOC: 47.98.232.243", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **147[.]135.115.212** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-04T03:00:00, Last seen: 2021-04-12T03:00:00.\n IOC tags: **generic**.\nASN 16276: (First IP 147.135.0.0, Last IP 147.135.255.255).\nASN Name \"OVH\" and Organisation \"\".\nThis IP is a part of \"**ovh**\" address pools.\nASN hosts 8703451 domains.\nGEO IP information: City \"\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-04T00:00:00", "id": "RST:3A4CE0E6-5152-3CF5-B1D3-743E62123C95", "href": "", "published": "2021-04-14T00:00:00", "title": "RST Threat feed. IOC: 147.135.115.212", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **122[.]173.9.105** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **3**.\n First seen: 2020-12-23T03:00:00, Last seen: 2021-04-12T03:00:00.\n IOC tags: **generic**.\nASN 24560: (First IP 122.172.156.0, Last IP 122.174.155.255).\nASN Name \"AIRTELBROADBANDASAP\" and Organisation \"Bharti Airtel Ltd Telemedia Services\".\nASN hosts 4506 domains.\nGEO IP information: City \"Ludhiana\", Country \"India\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-23T00:00:00", "id": "RST:F4A00156-5152-3892-A786-181B37985BFE", "href": "", "published": "2021-04-14T00:00:00", "title": "RST Threat feed. IOC: 122.173.9.105", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **newrr[.]duckdns.org:5152** in [RST Threat Feed](https://rstcloud.net/profeed) with score **30**.\n First seen: 2021-03-05T03:00:00, Last seen: 2021-04-12T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 52[.]1.161.122\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-05T00:00:00", "id": "RST:B60A040E-AD95-3640-B9C9-AF2AC99CC94A", "href": "", "published": "2021-04-13T00:00:00", "title": "RST Threat feed. IOC: newrr.duckdns.org:5152", "type": "rst", "cvss": {}}, {"lastseen": "2020-11-03T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **82[.]177.126.165** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **8**.\n First seen: 2020-05-27T03:00:00, Last seen: 2020-11-03T03:00:00.\n IOC tags: **generic**.\nASN 20804: (First IP 82.177.114.0, Last IP 82.177.127.255).\nASN Name \"ASNTELENERGO\" and Organisation \"ul PERKUNA 47 WARSZAWA\".\nASN hosts 2480 domains.\nGEO IP information: City \"\", Country \"Poland\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-05-27T00:00:00", "id": "RST:C3F74748-5152-3D3B-BB47-7DC4804C27F7", "href": "", "published": "2021-04-08T00:00:00", "title": "RST Threat feed. IOC: 82.177.126.165", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **https://angloteste[.]bigprime.com.br/wp-content/plugins/wordpress-seo/inc/endpoints/2200.dll** in [RST Threat Feed](https://rstcloud.net/profeed) with score **47**.\n First seen: 2021-03-15T03:00:00, Last seen: 2021-04-04T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **gozi**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-15T00:00:00", "id": "RST:99D6BE09-5152-35B0-8C74-447DEDBC78D5", "href": "", "published": "2021-04-05T00:00:00", "title": "RST Threat feed. IOC: https://angloteste.bigprime.com.br/wp-content/plugins/wordpress-seo/inc/endpoints/2200.dll", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **58[.]187.164.16** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **39**.\n First seen: 2021-03-18T03:00:00, Last seen: 2021-03-25T03:00:00.\n IOC tags: **generic**.\nASN 18403: (First IP 58.187.152.0, Last IP 58.187.225.255).\nASN Name \"FPTASAP\" and Organisation \"The Corporation for Financing Promoting Technology\".\nASN hosts 105485 domains.\nGEO IP information: City \"Hanoi\", Country \"Vietnam\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-18T00:00:00", "id": "RST:A3A9FA1F-5152-3056-B1A1-351890A11D72", "href": "", "published": "2021-03-26T00:00:00", "title": "RST Threat feed. IOC: 58.187.164.16", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://213[.]163.127.250:47160/mozi.m** in [RST Threat Feed](https://rstcloud.net/profeed) with score **65**.\n First seen: 2021-03-20T03:00:00, Last seen: 2021-03-21T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **mozi**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-20T00:00:00", "id": "RST:E2D1CE51-5152-3F9A-A3A7-8F8472853950", "href": "", "published": "2021-03-22T00:00:00", "title": "RST Threat feed. IOC: http://213.163.127.250:47160/mozi.m", "type": "rst", "cvss": {}}]}
