StepWeb Search Engine Admin Webpage Access Vulnerability

StepWeb Search Engine (SWS) is a search engine script which uses a flatfile database to store search entries. It is written in Perl and should run on most Unix and Linux variants.

A remote attacker who can guess the location of the admin webpage can trivially gain access to the administrative functions of the software. This is due to the fact that the password credentials for administrative scripts are included in hard-coded links on the admin webpage.

This may enable an attacker to add arbitrary search entries or gain access to search logs.

This issue has been reported for the free version of SWS 2.5. Earlier versions/commercial versions may also be affected.


Privacy Statement
Copyright 2010, SecurityFocus