[13165] in bugtraq
Re: Follow UP AltaVista
daemon@ATHENA.MIT.EDU (AVsearch)
Fri Dec 31 04:21:35 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <005d01bf52fc$b261bfd0$7253e5cd@and.av.com>
Date: Thu, 30 Dec 1999 14:33:06 -0500
Reply-To: AVsearch <AVsearch@AND.AV.COM>
From: AVsearch <AVsearch@AND.AV.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
To disable this security hole temporarily, until a patch is
available later today, follow the steps detailed below.
Unfortunately, AltaVista was just apprised of this problem today.
(It is not clear who at AltaVista was contacted ~3 months ago.)
Regards,
AltaVista Engineering
---------------------
Full steps would be:
- edit <install-dir>/httpd/config file and change MGMT_IPSPEC from
"0.0.0.0/0" to a specific IP such as "127.0.0.1/32"
- stop page gathering via management interface
- restart altavista search service (to re-read config file)
- restart page gathering if necessary
- change the username/password through the management interface to bogus
information
- exploit server and download ../logs/mgtstate (puts file in cache)
http://localhost:9000/cgi-bin/query?mss=../logs/mgtstate
- change the username/password through the management interface to something
different (but not used anywhere else)
- avoid restarting the AltaVista service or clearing the cache
Now when a user grabs the file, they will get the old cached information
which
is now invalid. This will last for as long as the mgtstate file stays in
the mhttpd's cache (until the service is restarted again).
