• Home
• About us
  • Our company
  • Careers
  • Contact us
  • Legal and privacy
• Security management
  • Information Security Healthcheck
  • Risk Assessment
  • Security Documentation Sets
• PCI compliance
  • PCI DSS Compliance
  • PCI - PA DSS compliance
  • PCI - Qualified Forensic Investigator
  • ASV Scans
  • OmniPORT
• Application security
  • Application Security Test
  • Application Architecture Assessment
  • Security Code Review
  • Product Security Review
  • Secure Development Training
• Infrastructure security
  • Penetration Testing
  • Managed Vulnerability Scanning
  • Infrastructure Assessment
  • Security Design Review
• Incident response
  • Digital Forensics
  • Incident Response
  • NetFACTS
• Newsroom
  • Press Releases

• Text size
• A
• A
• A

How can IRM help us?

• Make our business PCI compliant

  How can IRM help us make our business PCI compliant?

  As one of the leading independent providers of information security consultancy and security testing services, IRM's PCI DSS services have helped several businesses with their compliance roadmap.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • OmniPORT
  • ASV Scans
  • Penetration Testing
  • PCI DSS Compliance
• Write code securely

  How can IRM help us to write code securely?

  How secure your code is depends on how security aware your development team is. IRM’s Secure Development Training exposes your developers to common application layer vulnerabilities and explains how they manifest in various development platforms.

  Combine this with an ongoing code review process and it will highlight areas for improvement that can be fed back into the development cycle.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • Secure Development Training
  • Security Code Review
• Assess the security of our new e-commerce platform

  How can IRM help us assess the security of our new e-commerce platform?

  Assessing the security of your business application depends on its development phase. The design should be reviewed early on in the project to ensure critical security requirements will be fulfilled and to weed out any glaring issues that could slip into production.

  At development time, proactive identification of vulnerabilities via code review will cut costs associated with fixing defects in production. Finally, testing before going live is indispensable in ensuring the application provides a safe and secure environment for your customers and your business.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • Application Architecture Assessment
  • Security Code Review
  • Application Security Test
• Identify security bugs in our new product

  How can IRM help us Identify security bugs in our new product?

  IRM’s Product Security Review service exposes your product to all the necessary and rigorous processes you need to ship a secure release.

  Like to know more?

  Use the links below to view more information about the service discussed above.

  • Product Security Review
• Review the security of our new infrastructure project

  How can IRM help us review the security of our new infrastructure project?

  IRM’s infrastructure security services can assist you in reviewing the design and configuration followed by penetration testing of your business critical systems to ensure they are secure and sufficiently hardened.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • Security Design Review
  • Infrastructure Assessment
  • Penetration Testing
• Implement a security management process

  How can IRM help us implement a security management process?

  From assessing the effectiveness of your information security processes to carrying out risk assessments of mature business environments, IRM consultants are equipped with the right tools and experience to generate a holistic view of the state of security in your organisation.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • Information Security Health Check
  • Risk Assessment
• Confirm our security policy is being enforced

  How can IRM help us confirm our security policy is being enforced?

  IRM’s NetFACTS offering is a highly customizable service that reviews your fair use policies and translates them into software rules against which all network traffic is matched to identify deviations and policy violations.

  Like to know more?

  Use the links below to view more information about the service discussed above.

  • NetFACTS
• Manage a security breach

  How can IRM help us manage a security breach?

  The key to managing a security incident is timely identification and response. IRM’s Incident Response service coupled with our Digital Forensics capabilities has helped organisations detect, contain and eradicate incident sources for mission critical systems especially systems surrounding payment card data.

  Once eradication is completed, our NetFACTS probes can be customized and deployed during the recovery and follow up phases to monitor and detect potential remnants of the incident.

  Like to know more?

  Use the links below to view more information about the services discussed above.

  • Incident Response
  • Digital Forensics
  • NetFACTS

Upcoming Events

RiSearch and RiSearch Pro Multiple Vulnerabilities

RiSearch and RiSearch Pro are vulnerable to open FTP/HTTP proxy, directory listings and file disclosure vulnerabilities

Vulnerability Type / Importance: Network Subversion, Arbitrary Filesystem Access / High

Problem discovered: July 6th 2004
Vendor contacted: July 7th 2004
Advisory published: July 27th 2004

Abstract :
The RiSearch (and Pro) Suite is a set of PERL scripts that enables users to search web sites.

RiSearch (Pro) is vulnerable to an open proxy attack that allows arbitrary access to ports via FTP and HTTP as well as access to the remote file system (files and directory listings) outside the web root.

Description :
During a recent security testing engagement it was identified that public access was granted to a script show.pl, which grabs a web page and highlights words in it based on POST/GET variables. The functionality was originally designed to show and highlight pages from the target web site only. However it was identified that no access restrictions were applied to the script and it was possible to manipulate the variables to make requests to other sites, ports and files.

For example, one could select:
http://10.0.0.0/cgi-bin/search/show.pl?url=http://www.google.com and the site would return the Google web site. Unfortunately this means that the server is now an open proxy, and it is possible to utilise the script to access web servers on the net and masquerade behind the target's site, which is very useful for analysing or attacking other servers using web protocols.

It is also possible to request web sites from private IP addresses behind the firewall, for example:
http://10.0.0.0/cgi-bin/search/show.pl?url=http://192.168.0.1 or from another port (in this case a Tomcat admin page):
http://10.0.0.0/cgi-bin/search/show.pl?url=http://localhost:8080
This seriously circumvents the security of any firewall infrastructure in place protecting the hosts.

It was also possible to gain access to services using the FTP protocol using:
http://10.0.0.0/cgi-bin/search/show.pl?url=ftp://192.168.0.1
Again, this potentially compromises any access restrictions in place at the network layer.

It is also possible to use the script to brute-force FTP accounts behind the firewall using the following:
http://10.0.0.0/cgi-bin/search/show.pl?url=ftp://username:password@192.168.0.1

Finally, it transpires that it is also possible to read any file on the filesystem using the following URL:
http://10.0.0.0/cgi-bin/search/show.pl?url=file:/etc/passwd
This would show the Operating System password file. Requesting only a directory provides a handy listing.

Tested Versions:
RiSearch 1.0.01
RiSearch Pro 3.2.06

Tested Operating Systems:
Microsoft Windows 2000

Vendor & Patch Information:
RiSearch was contacted on July 7th 2004 and released the update on July 8th 2004, which can be downloaded from http://www.risearch.org

Workarounds:
IRM is not aware of any workarounds for this issue.

Credits:
Research & Advisory: P Robinson - Technical Director, K Tang, G Gallagher

Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.

© 2012 Information Risk Management Plc | Cheltenham House | Clarence Street | Cheltenham GL50 3JR | UK Tel +44 (0)1242 225 200 | Fax +44 (0)1242 225 215 | info@irmplc.com