Audit of BRS/SEARCH

From: Javier Fernández-Sanguino Peña (jfernandez@germinus.com)
Date: Fri Oct 25 2002 - 05:44:04 EDT


Has anyone audited the BRS/SEARCH document database engine before. It
seems to me (it's a pen-test :) that to public databases using this
database engine on the web database command injection (it does not use
SQL) is not much of an issue since there does not seem to be a database
holding username/passwords, there are only indexed documents.

I have found in a pen-test a CGI application that *is* vulnerable to
injection of database queries, but I do not see valuable information
whatsoever so I'm starting to think this is a 'medium' vulnerability
(and not 'high' as it would be if you had an Oracle or SQL Server
database behind).

Any ideas? I'm going to start trying the usual CGI stuff (buffer
overflows, brute force of parameters, et al) on the application (it's a
C application, no Perl :-( to see how it answers since I think I've hit
a dead-end with the injection stuff.

Javi

PS: For those that do not know what BRS/SEARCH is try
http://isd.usc.edu/~karl/BRS/faq.html

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:25 EDT