COMMAND

    Master Index

SYSTEMS AFFECTED

    Linux/UNIX with Master Index

PROBLEM

    Following   is   based   on   a   Synnergy  Laboratories  Advisory
    SLA-2000-16.  Synnergy Labs has  found a flaw within Master  Index
    that allows a  user to successfully  traverse the filesystem  on a
    remote host, allowing arbitary files/folders to be read.

    Master Index  is a  professional search  engine such  as Yahoo and
    Alta  Vista.   This  search  engine  supports  loads  of features.
    Admins can  set script  to automatically  add submissions  or wait
    until confirmed  by the  admin, users  can edit  and delete  their
    listings,    admins    can    add/edit/delete    categories    and
    sub-categories, and supports unlimited listings.  Product  pricing
    is $199.95 US

     Master Index can be found at:

        http://www.armadastyle.com/masterindex.html

    Synnergy has recently discovered  a flaw within Master  Index that
    allows a remote  user to traverse  the filesystem as  a request to
    the script  using the  $catigory=_some_dir_variable.   It is  then
    possible to read any file or folder's contents with priviledges as
    the httpd.

    Example:

        http://www.target.com/cgi-bin/search/search.cgi?keys=*&prc=any&catigory=../../../../../../../../etc

    The above line  if given will  output all the  directories and the
    file contents, that are nested within /etc directory.  Other  more
    sinister content can be revealed from there.

    Due  to  the  commercial  license  of the product advisory authors
    where unable to check the code for the exact bug, or even for  the
    discovery of more bugs.

SOLUTION

    The vendors have been informed of the bug.  It is advised to  wait
    for the next patched version of Master Index to be released.