Master Index is a commercially supported search engine. Certain versions of this software ship with a path traversal vulnerability. This is to say that a remote user may 'back out' (.../) of the web root directory and view/download any file which the user who is running Master Index has permission to read.
Master Index search.cgi Traversal Arbitrary File/Directory Access
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Master Index contains a flaw that allows a remote attacker to access arbitrary files and directories outside of the web path. The issue is due to the "search.cgi" script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "catigory" variable.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.