[LWN Logo]
[Timeline]
Date:         Mon, 9 Oct 2000 22:55:12 +0300
From: pestilence <pestilence@SYNNERGY.NET>
Subject:      Master Index traverse advisory
To: BUGTRAQ@SECURITYFOCUS.COM

This is a multi-part message in MIME format.
--------------FAC2FB1A4F35E9ECE310E741
Content-Type: text/plain; charset=iso-8859-7
Content-Transfer-Encoding: 7bit

Please find attached our advisory for Master Index cgi script.

--------------FAC2FB1A4F35E9ECE310E741
Content-Type: text/plain; charset=iso-8859-7;
 name="SLA-16.MasterIndex.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="SLA-16.MasterIndex.txt"

        Synnergy Laboratories Advisory SLA-2000-16

NAME

       Master Index directory traversal vulnerability

AFFECTED

        Linux/UNIX with Master Index

SYNOPSIS

 Synnergy Labs has found a flaw within Master Index that allows a user to successfully
 traverse the filesystem on a remote host, allowing arbitary files/folders to be
 read.


DESCRIPTION

 Master Index is a professional search engine such as Yahoo and Alta Vista.
 This search engine supports loads of features. Admins can set script to automatically
 add submissions or wait until confirmed by the admin, users can edit and delete their
 listings, admins can add/edit/delete categories and sub-categories, and supports
 unlimited listings. Product pricing is $199.95 US

 Master Index can be found at:http://www.armadastyle.com/masterindex.html

 Synnergy has recently discovered a flaw within Master Index that allows a remote user
 to traverse the filesystem as a request to the script using the
 $catigory=_some_dir_variable. It is then possible to read any file or folder's contents
 with priviledges as the httpd.

 Example:

 http://www.target.com/cgi-bin/search/search.cgi?keys=*&prc=any&catigory=../../../../../../../../etc

 The above line if given will output all the directories and the file contents, that are
 nested within /etc directory. Other more sinister content can be revealed from there.

 Due to the commercial license of the product we where unable to check the code for the
 exact bug, or even for the discovery of more bugs.


SOLUTION

  The vendors have been informed of the bug. It is advised to wait for the next patched
  version of Master Index to be released.


AUTHOR

        Discovery: pestilence @ synnergy.net


DISCLAIMER

        Synnergy Laboratories may not be held liable for the use or potential
        effects of these programs or advisories, nor the content contained
        within. Use them at your own risk.

COPYRIGHT

        Synnergy Laboratories -  www.synnergy.net (c) 1998-2000

--------------FAC2FB1A4F35E9ECE310E741--