Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14397
HistorySep 23, 2006 - 12:00 a.m.

Google Mini Search Applicance Path Disclosure

2006-09-2300:00:00
vulners.com
22
JSON

aushack.com - Vulnerability Advisory

Release Date:
22-Sep-2006

Software:
Google Inc - Google Mini Search Appliance
http://www.google.com.au/enterprise/mini/index.html

"The Google Mini delivers cost-effective, high-quality search for
your public website, intranet, and file servers, and you can be up
and running in less than an hour."

Versions affected:
4.4.102.M.36 and below.

Vulnerability discovered:

Reveal web server path.

Vulnerability impact:

Low - Web server path disclosure.

Vulnerability information:

User controlled 'client' value.

Example (lines may be wrapped):

http://mini.site.com.au/search?q=test&client=showmethepathalready

Would return the error:
"/export/hda3/4.4.102.M.36/local/conf/frontends/showmethepathalready
/domain_filter (No such file or directory)"

May be able to break out, but not yet found. Fuzz anyone?

References:
aushack.com advisory
http://www.aushack.com/advisories/200609-googlemini.txt

Credit:
Patrick Webster ( [email protected] )

Disclosure timeline:
22-Sep-2006 - Disclosure.

EOF

JSON