CVE-2000-0039

Vulnerability

The AltaVista Search engine, specifically the query.cgi CGI program, is vulnerable to directory traversal attacks. This vulnerability affects versions of AltaVista Search Intranet 2.0 b/2.3. The webserver listens on port 9000 and accepts a single '../' string in the query, allowing access to files outside the intended document root [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted requests to the query.cgi script. By using '../' sequences, potentially hex-encoded as %2e%2e%2f, an attacker can navigate the file system. For example, requesting ../logs/mgtstate can retrieve administrative files. The password for the remote administration utility, found in these files, is Base64 encoded and can be decoded using a simple Perl script to gain administrative access [1].

Impact

Successful exploitation allows an attacker to read arbitrary files on the server, including sensitive administrative information such as usernames and passwords. By decoding the Base64 encoded password, an attacker can gain full remote administration capabilities for the AltaVista Search engine, potentially leading to further compromise or disruption of services [1].

Mitigation

No specific patched version or release date is mentioned in the available references. Users are advised to consult vendor advisories for potential workarounds or updated information. It is not specified if this vulnerability is listed on the Known Exploited Vulnerabilities (KEV) catalog [1].