Inktomi Search Information Disclosure Vulnerability
BID:2062
Info
Inktomi Search Information Disclosure Vulnerability
| Bugtraq ID: | 2062 |
| Class: | Configuration Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Dec 05 2000 12:00AM |
| Updated: | Dec 05 2000 12:00AM |
| Credit: | Reported to bugtraq by china nsl <[email protected]> on Tue, 5 Dec 2000. |
| Vulnerable: |
Inktomi Search Software 3.0 |
| Not Vulnerable: |
Inktomi Search Software 4.0 Inktomi Search Software 3.1 |
Discussion
Inktomi Search Information Disclosure Vulnerability
A vulnerability exists in version 3.0 of Ultrseek server (aka Inktomi Search).
Due to a failure to properly validate user-supplied input, URLs submitted by a remote user of the form:
http://target:8765/example/
will, if the file 'example' does not exist, return an error message which discloses sensitive path and server configuration information.
As a result, it is possible for an attacker to obtain information about the server's configuration and directory structure, which could be used to support further attacks.
This may be the result of a weak default configuration. Ultraseek Server returns detailed error information when requests are recieved from an administrative IP address. By default, administrative status is given to all addresses.
A vulnerability exists in version 3.0 of Ultrseek server (aka Inktomi Search).
Due to a failure to properly validate user-supplied input, URLs submitted by a remote user of the form:
http://target:8765/example/
will, if the file 'example' does not exist, return an error message which discloses sensitive path and server configuration information.
As a result, it is possible for an attacker to obtain information about the server's configuration and directory structure, which could be used to support further attacks.
This may be the result of a weak default configuration. Ultraseek Server returns detailed error information when requests are recieved from an administrative IP address. By default, administrative status is given to all addresses.
Exploit / POC
Inktomi Search Information Disclosure Vulnerability
http://target:8765/example/
http://target:8765/example/
Solution / Fix
Inktomi Search Information Disclosure Vulnerability
Solution:
Inktomi has reported that this vulnerability is fixed in Ultraseek Server version 3.1 or 4.0 and later. Customers are advised to update to the most current version.
Solution:
Inktomi has reported that this vulnerability is fixed in Ultraseek Server version 3.1 or 4.0 and later. Customers are advised to update to the most current version.
References
Inktomi Search Information Disclosure Vulnerability
References:
References:
- Exception Trace (Inktomi)
- Inktomi Enterprise Search Documentation (Inktomi)
- Inktomi Homepage (Inktomi)