SearchBlox 漏洞列表

SearchBlox prior to version 9.2.2 is susceptible to local file inclusion in FileServlet that allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin API key and the base64 encoded SHA1 password hashes of other SearchBlox users.

SearchBlox prior to version 9.2.2 is susceptible to local file inclusion in FileServlet that allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin API key and the base64 encoded SHA1 password hashes of other SearchBlox users.

SearchBlox 是一个企业搜索解决方案，基于 Lucene 构建。可进行快速发布、轻松管理以及支持云环境。这是与 Google Mini最接近的一款搜索产品。9.2.2之前的所有SearchBlox中FileServlet中的本地文件包含漏洞，允许未经身份验证的远程用户通过/searchblox / servlet / FileServlet？col = url =请求从操作系统读取任意文件。

SearchBlox是美国SearchBlox公司的一套开源免费的基于Lucene（全文检索引擎工具包）构建的企业搜索和分析解决方案。该方案提供一个基于Web的管理界面，可以管理整个搜索系统。 SearchBlox 8.2之前版本的admin/uploadImage.html页面中存在任意文件上传漏洞。远程攻击者可通过上传特制的可执行文件利用该漏洞执行任意代码。