Exploit:
If "luser.dialup.someisp.com" is running Express Search, visit http://luser.dialup.someisp.com:1234/.
If your web server records the
http Referer header field. (here's how to
enable this in Apache) you can identify Express Search users by the Refer string
"http://localhost:1234/HLPage". By automating this process, you can get the email addresses of
users who find your page through Express Search. (This is similar to the
ident privacy problem on Unix which
has been, unfortunately, covered up to protect ident's utility for tracking third-rate crackers.)
Express Search users can also be discovered by scanning entire netblocks for TCP port 1234 with a utility such as nmap.
Discussion:
To prevent attacks, disable Express Search on your computer and wait for a patch from Disney.
This vulnerability was discovered by analysis of server logs from
www.honeylocust.com: the same method can be used to find users of other applications that act as
personal web servers. Authors of personal web servers should use host-based or other authentication
to prevent similar attacks.
