[1822] in WWW Security List Archive
wwwwais - concern over security hole
daemon@ATHENA.MIT.EDU (Nathan Neulinger)
Sun Apr 14 00:44:58 1996
Date: Sat, 13 Apr 1996 21:15:11 -0500
To: kevinh@eit.com
From: nneul@umr.edu (Nathan Neulinger)
Cc: batson@eit.com, www-security@ns2.rutgers.edu, boutell@boutell.com,
paulp@cerf.net, mlvanbie@calum.csclub.uwaterloo.ca,
lstein@genome.wi.mit.edu
Errors-To: owner-www-security@ns2.rutgers.edu
---------
Note to others that this note is cc to: This is a cc of a note I sent to
the author of wwwwais raising some security concerns about what the cgi is
allowing to be configured by a remote connection.
---------
I was working on patching wwwwais to get it to work properly with FreeWAIS
0.5, and noticed something I had noticed the first time I installed it...
I had added a configuration option environment variable WWWW_CONFFILE a
while back to help with one installation issue, but hadn't worried too much
about these problems. In trying to get this to be more readily usable by
people at my sites, I wanted to get it working with freewais as well.
However, now I needed to be concerned about these potential security
issues.
The way you allow passing in of the source, sourcedir, host, port is a VERY
SERIOUS potential security hole. 'searchprog' by itself isn't much of a
security problem, but when combined with the fact that you can specify
sourecdir, source, and other things - this is a big problem.
Heres why (and this is a hypothetical example, haven't tried, but it
appears it will work):
Organization has wwwwais installed with a few public indexes on
it's main page
Someone internal to the organization has a database that is also
searchable, but only by authenticated users via a different installation of
wwwwais.
With those options, if I knew where that other index was located, I
could get to it's index data.
Another problem is, wwwwais could be abused as an illegal proxy into
internal site wais servers by picking a hostname and port number.
I would reccomend removing all of those options to tell you the truth.
Their really isn't any reason that the remote user should be able to
control the searching behavior that much. If you use the WWWW_CONFFILE, you
can easily have multiple configuration files.
If you added a option to the wwwwais configuration file that gave a name to
a source:
-----------------------
WaisSource <source-codename> <source-file> <name>
WaisSource <source-codename> <host> <port> <index> <name>
SwishSource <source-codename> <source-file> <name>
---- instead of -------
WaisSource <source-file> <name>
WaisSource <host> <port> <index> <name>
SwishSource <source-file> <name>
-------------------------
You could then use the source-codename in the pop up for selecting a
source. This would be the only thing (other than max-docs, sort, etc.) that
the remote site could choose. This would solve all the security issues that
this particular note raises.
I would be happy to fix this up with some security patches applied, as well
as the fix for freewais 0.5, and send it to you to be released as 2.6, but
you never answered my other message of a long time ago regarding other
patches to wwwwais.
If wwwwais wasn't so convenient to use, I would just stop using it, but I
would prefer to keep using it in a secure manner.
Please let me know.
Thanks.
-- Nathan
(author of CGIwrap)
------------------------------------------------------------
Nathan Neulinger Univ. of Missouri - Rolla
EMail: nneul@umr.edu Computing Services
WWW: http://www.umr.edu/~nneul SysAdmin: rollanet.org
