Mobileunit Security Advisory 001
December 12, 1999

Privacy hole in Go Express Search


Description
Disney's Go Express Search operates an http server at port 1234 without authentication. Remote users can submit search queries, and view queries and personal links left by other users. It's possible to access the configuration interface, which can reveal the e-mail address of the user who registered it. Configuration settings can be changed remotely to, for instance, add, remove or alter personal links.

Exploit:
If "luser.dialup.someisp.com" is running Express Search, visit http://luser.dialup.someisp.com:1234/. If your web server records the http Referer header field. (here's how to enable this in Apache) you can identify Express Search users by the Refer string "http://localhost:1234/HLPage". By automating this process, you can get the email addresses of users who find your page through Express Search. (This is similar to the ident privacy problem on Unix which has been, unfortunately, covered up to protect ident's utility for tracking third-rate crackers.)

Express Search users can also be discovered by scanning entire netblocks for TCP port 1234 with a utility such as nmap.

Discussion:
To prevent attacks, disable Express Search on your computer and wait for a patch from Disney. This vulnerability was discovered by analysis of server logs from www.honeylocust.com: the same method can be used to find users of other applications that act as personal web servers. Authors of personal web servers should use host-based or other authentication to prevent similar attacks.

© 1999 Honeylocust Media Systems contact: mobileunit@mobileunit.org. Visit Positive Propaganda, our directory of independent web sites and Airstrike.