BID:2061

Inktomi Search Source Disclosure Vulnerability

Info

Inktomi Search Source Disclosure Vulnerability

Bugtraq ID:	2061
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	Yes
Published:	Dec 05 2000 12:00AM
Updated:	Dec 05 2000 12:00AM
Credit:	Reported to bugtraq by china nsl <[email protected]> on Tue, 5 Dec 2000.
Vulnerable:	Inktomi Search Software 3.0 - HP HP-UX 11.0 4 - Linux kernel 2.3 - Microsoft Windows NT 4.0 - Sun Solaris 2.5

Not Vulnerable:	Inktomi Search Software 4.0 Inktomi Search Software 3.1

Discussion

Inktomi Search Source Disclosure Vulnerability

A vulnerability exists in version 3.0 of Ultrseek server (aka Inktomi Search).

Due to a failure to properly validate user-supplied input, URLs submitted by a remote user of the form:

http://target:8765/somefile.html/

will return the source to 'somefile.html'.

As a result, it is possible for an attacker to obtain source code to any Ultraseek scripts, which could be used to support further attacks.

Exploit / POC

Inktomi Search Source Disclosure Vulnerability

http://target:8765/somefile.html/

will return the source to 'somefile.html'.

Solution / Fix

Inktomi Search Source Disclosure Vulnerability

Solution:
Inktomi has reported that this vulnerability is fixed in Ultraseek Server version 3.1 or 4.0 and later. Customers are advised to update to the most current version.

References

Inktomi Search Source Disclosure Vulnerability

References:

Exception Trace (Inktomi)
Inktomi Enterprise Search Documentation (Inktomi)
Inktomi Homepage (Inktomi)