Vulnerability

    Sojourn Search Engine

Affected

    Any web server running this search engine

Description

    Cerberus  Security  Team  found  following  (CISADV000313).    The
    Cerberus  Security  Team   has  discovered  a   weakness  in   the
    commercial search  engine Sojourn  that allows  attackers to  read
    any local file on  the file system that  they have read access  to
    (as provided by the account the web server is running under).   As
    such, files such  as /etc/passwd on  Unix systems can  be read and
    files such as the global.asa on Windows NT and 2000.

    Part of the  functionality provided by  the Sojourn search  engine
    allows the admin  of a website  to group sites  and information in
    categories and  a web  user can  then search  that category with a
    request of:

        http://charon/cgi-bin/sojourn.cgi?cat=Arts

    These categories are  actually stored as  .txt files ->  Arts.txt.
    The ".txt" is appended to the  end of the "cat" parameter and  the
    file is then opened and its contents returned.  However the search
    engine will  follow double  dots allowing  us to  break out of the
    web servers virtual  root. At first  glance it may  seem that only
    .txt files will  be accessible, however,  by placing a  %00 on the
    end of the "cat" parameter  we can effectively cut off  the ".txt"
    thus being able to open any file. For example

        http://charon/cgi-bin/sojourn.cgi?cat=../../../../../../etc/passwd%00

    will display the contents of the passwd file on UNIX boxes.

Solution

    The vendor  was informed  and they  have addressed  their code and
    this now  appears to  be fixed.  Until the  update can be obtained
    Cerberus suggests that this search engine be temporarily  disabled
    or removed.  A check has been added into CIS security scanner.