Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 009

RiSearch and RiSearch Pro Pro are vulnerable to open FTP/HTTP proxy, directory listings and file disclosure vulnerabilities
Vulnerablity Type / Importance: Network Subversion, Arbitrary Filesystem Access / High

Problem discovered: July 6th 2004
Vendor contacted: July 7th 2004
Advisory published: July 27th 2004

Abstract :
The RiSearch (and Pro) Suite is a set of PERL scripts that enables users to search web sites.

RiSearch (Pro) is vulnerable to an open proxy attack that allows arbitrary access to ports via FTP and HTTP as well as access to the remote file system (files and directory listings) outside the web root.

Description :
During a recent security testing engagement it was identified that public access was granted to a script show.pl, which grabs a web page and highlights words in it based on POST/GET variables. The functionality was originally designed to show and highlight pages from the target web site only. However it was identified that no access restrictions were applied to the script and it was possible to manipulate the variables to make requests to other sites, ports and files.

For example, one could select: -

http://10.0.0.0/cgi-bin/search/show.pl?url=http://www.google.com

and the site would return the Google web site. Unfortunately this means that the server is now an open proxy, and it is possible to utilise the script to access web servers on the net and masquerade behind the target's site, which is very useful for analysing/attacking other servers using web protocols.

Furthermore, it is also possible to request web sites from private IP addresses behind the firewall, for example: -

http://10.0.0.0/cgi-bin/search/show.pl?url=http://192.168.0.1

or from another port (in this case a Tomcat admin page): -

http://10.0.0.0/cgi-bin/search/show.pl?url=http://localhost:8080

This seriously circumvents the security of any firewall infrastructure in place protecting the hosts.

It was also observed that it was possible to gain access to services using the FTP protocol using: -

http://10.0.0.0/cgi-bin/search/show.pl?url=ftp://192.168.0.1

Again, potentially compromising any access restrictions in place at the network layer. It is also possible to use the script to brute-force FTP accounts behind the firewall using the following: -

http://10.0.0.0/cgi-bin/search/show.pl?url=ftp://username:password@192.168.0.1

Finally, it transpires that it is also possible to read any file on the filesystem using the following URL: -

http://10.0.0.0/cgi-bin/search/show.pl?url=file:/etc/passwd

This would show the Operating System password file. Requesting only a directory provides a handy listing.

Tested Versions:
RiSearch 1.0.01
RiSearch Pro 3.2.06

Tested Operating Systems:
Microsoft Windows 2000

Vendor & Patch Information:
RiSearch were contacted on July 7th 2004 and released the update on July 8th 2004, which can be downloaded from http://www.risearch.org

Workarounds:
IRM are not aware of any workarounds for this issue.

Credits:
Research & Advisory: P Robinson - Technical Director, K Tang, G Gallagher

Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.