The AltaVista Search engine sets up a webserver at port 9000 to listen for search queries. The main search function will accept a single '../' string in the query, providing access to all documents in the 'http' directory one level up. These documents contain various administrative information, including the password for the remote administration utility. The password is base-64 encoded, and can be easily restored to plaintext to give an attacker full remote administration abilities for the search engine. The webserver will accept multiple '../' strings if they are hex encoded, ie '%2e%2e%2f'.
(to get the mgtstate file.)
print decode_base64("$ARGV"), "\n";
(to unencode the username/password)
and enter the username/password to access the remote administration features
to get the password file on a unix system
AltaVista Intranet Search CGI contains a flaw that allows a remote attacker to read arbitrary files outside of the web path. The issue is due to the "query" not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "mss" variable.
Currently, there are no known workarounds or upgrades to correct this issue. However, Altavista has released a patch (V2.3A) to address this vulnerability.