Products: mnogosearch 3.1.20 and 3.2.10 (http://www.mnogosearch.org) Date: 06 June 2003 Author: pokleyzz <pokleyzz_at_scan-associates.net> Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net URL: http://www.scan-associates.net
Summary: mnogosearch 3.1.20 and 3.2.10 buffer overflow
Description =========== *mnoGoSearch* (formerly known as *UdmSearch*) is a full-featured web search engine software for intranet and internet servers..
Details ======= There is buffer overflow vulnerabilities in mnogosearch 3.1.20 and 3.2.10.
1) Buffer overflow in "ul" variable in 3.1.20
"ul" variable is used to specify search result to specific url. By supplying crafted "ul" variable more than 5000 user can write arbitrary address and run command as web server user.
ex: http://blablabla.com/cgi-bin/search.cgi?ul=[6000]A`s
proof of concept ---------------- [see attachment: mencari_sebuah_nama.pl]
2) Buffer overflow in "tmplt" variable in 3.2.10 User can crash search.cgi by supplying "tmplt" variable over 1024 character. This is stack base buffer overflow where eip can easily overwritten.
ex:
http://blablabla.com/cgi-bin/search.cgi?tmplt=[1050]A`sproof of concept ---------------- [see attachment: mencari_asal_usul.pl]
Vendor Response =============== Vendor has been contacted on 01/06/2003 and fix is available from cvs at http://www.mnogosearch.org.
mencari_sebuah_nama.pl
Description: Perl program
Description: Perl program
