mailing list archives
Re: Follow UP AltaVista
From: AVsearch () AND AV COM (AVsearch)
Date: Thu, 30 Dec 1999 14:33:06 -0500
To disable this security hole temporarily, until a patch is
available later today, follow the steps detailed below.
Unfortunately, AltaVista was just apprised of this problem today.
(It is not clear who at AltaVista was contacted ~3 months ago.)
Full steps would be:
- edit <install-dir>/httpd/config file and change MGMT_IPSPEC from
"0.0.0.0/0" to a specific IP such as "127.0.0.1/32"
- stop page gathering via management interface
- restart altavista search service (to re-read config file)
- restart page gathering if necessary
- change the username/password through the management interface to bogus
- exploit server and download ../logs/mgtstate (puts file in cache)
- change the username/password through the management interface to something
different (but not used anywhere else)
- avoid restarting the AltaVista service or clearing the cache
Now when a user grabs the file, they will get the old cached information
is now invalid. This will last for as long as the mgtstate file stays in
the mhttpd's cache (until the service is restarted again).
- Re: Follow UP AltaVista AVsearch (Dec 30)