Synnergy Laboratories Advisory SLA-2000-16 NAME Master Index directory traversal vulnerability AFFECTED Linux/UNIX with Master Index SYNOPSIS Synnergy Labs has found a flaw within Master Index that allows a user to successfully traverse the filesystem on a remote host, allowing arbitary files/folders to be read. DESCRIPTION Master Index is a professional search engine such as Yahoo and Alta Vista. This search engine supports loads of features. Admins can set script to automatically add submissions or wait until confirmed by the admin, users can edit and delete their listings, admins can add/edit/delete categories and sub-categories, and supports unlimited listings. Product pricing is $199.95 US Master Index can be found at:http://www.armadastyle.com/masterindex.html Synnergy has recently discovered a flaw within Master Index that allows a remote user to traverse the filesystem as a request to the script using the $catigory=_some_dir_variable. It is then possible to read any file or folder's contents with priviledges as the httpd. Example: http://www.target.com/cgi-bin/search/search.cgi?keys=*&prc=any&catigory=../../../../../../../../etc The above line if given will output all the directories and the file contents, that are nested within /etc directory. Other more sinister content can be revealed from there. Due to the commercial license of the product we where unable to check the code for the exact bug, or even for the discovery of more bugs. SOLUTION The vendors have been informed of the bug. It is advised to wait for the next patched version of Master Index to be released. AUTHOR Discovery: pestilence @ synnergy.net DISCLAIMER Synnergy Laboratories may not be held liable for the use or potential effects of these programs or advisories, nor the content contained within. Use them at your own risk. COPYRIGHT Synnergy Laboratories - www.synnergy.net (c) 1998-2000