From: AVsearch [AVsearch@AND.AV.COM] Sent: Thursday, December 30, 1999 2:33 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: Follow UP AltaVista To disable this security hole temporarily, until a patch is available later today, follow the steps detailed below. Unfortunately, AltaVista was just apprised of this problem today. (It is not clear who at AltaVista was contacted ~3 months ago.) Regards, AltaVista Engineering --------------------- Full steps would be: - edit /httpd/config file and change MGMT_IPSPEC from "0.0.0.0/0" to a specific IP such as "127.0.0.1/32" - stop page gathering via management interface - restart altavista search service (to re-read config file) - restart page gathering if necessary - change the username/password through the management interface to bogus information - exploit server and download ../logs/mgtstate (puts file in cache) http://localhost:9000/cgi-bin/query?mss=../logs/mgtstate - change the username/password through the management interface to something different (but not used anywhere else) - avoid restarting the AltaVista service or clearing the cache Now when a user grabs the file, they will get the old cached information which is now invalid. This will last for as long as the mgtstate file stays in the mhttpd's cache (until the service is restarted again).