Advertisement
Home arrow ITsec Advisories arrow ZDI-06-042: Verity Ultraseek Request Proxying Vulnerability
Sunday, 07 September 2008
  
 
Last week attacks
O.S.  Defs.  %
Linux  10305  64.59%
Win 2003  4064  25.47%
Win 2000  1034  6.48%
FreeBSD  357  2.24%
SolarisSunOS  107  0.67%
Other  88  0.55%

Total attacks: 15955 of which 4929 single ip and 11026 mass defacements

Main Menu
Home
Digital Warfare
Geopolitics
ITsec News
ITsec Advisories
Test Drive
360°
Digital Attacks Archive
Zone-H events
Publications
Zone-H Friends/Partners
Contact Us
Search
Download Area
Zone-H forum
About this website
Login Form





Lost Password?
No account yet? Register
Visitors' Map
ZDI-06-042: Verity Ultraseek Request Proxying Vulnerability PDF Print E-mail
User Rating: / 0
PoorBest 
Written by Marcelo Almeida (Vympel)   
Thursday, 16 November 2006
CVE ID: CVE-2006-5819
Affected Vendor: Verity
Affected Products: Ultraseek

TippingPointTM IPS Customer Protection:

TippingPoint IPS customers have been protected against this vulnerability since April 3, 2006 by Digital Vaccine protection filter ID 4287. For further product information on the TippingPoint IPS:

    www.tippingpoint.com

Vulnerability Details:
This vulnerability allows remote attackers to proxy web attacks and scan internal hosts through vulnerable installations of Verity Ultraseek. Authentication is not required to exploit this vulnerability...



The specific flaw exists within the highlight script used to highlight search terms on spidered pages. An attacker can directly access the highlight script at '/highlight/index.html' to pass parameters to and retrieve content from arbitrary URLs. The same script can also be abused to enumerate otherwise inaccessible internal addresses and open ports.

Ultraseek also exposes various information disclosure vulnerabilities through the following scripts:

    /help/urlstatusgo.html
    /help/header.html
    /help/footer.html
    /spell.html
    /coreforma.html
    /daterange.html
    /hits.html
    /hitsnavbottom.html
    /indexform.html
    /indexforma.html
    /languages.html
    /nohits.html
    /onehit1.html
    /onehit2.html
    /query.html
    /queryform0.html
    /queryform0a.html
    /queryform1.html
    /queryform1a.html
    /queryform2.html
    /queryform2a.html
    /quicklinks.html
    /relatedtopics.html
    /signin.html
    /subtopics.html
    /thesaurus.html
    /topics.html
    /hitspagebar.html
    /highlight/highlight.html
    /highlight/highlight_one.html
    /highlight/topnav.html

Authenticated Ultraseek users can further abuse another vulnerability to retrieve arbitrary file contents from the underyling server through the '/admin/logfile.txt' script.

Vendor Response:
Verity has issued an update to correct this vulnerability. More details can be found at:

    http://www.ultraseek.com/support/docs/RELNOTES.txt

Disclosure Timeline:

2006.04.03-Digital Vaccine released to TippingPoint customers
2006.05.09-Vulnerability reported to vendor
2006.11.15-Coordinated public release of advisory

Credit:
This vulnerability was discovered by sullo / CIRT.net

About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:

    www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.

Original article


Comments Index (Total Messages: 0)


Post Reply
Name:Guest
Title:
Comment:



Enter this security word

Powered by a Zone-H(ified) version of AkoComment 3.0!


DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The   author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice.
 
< Prev   Next >
[ Back ]
 
Top!
© 2008 Zone-H.org
Joomla! is Free Software released under the GNU/GPL License.
 Top!