what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

swish-E.txt

swish-E.txt
Posted Aug 17, 1999

Swish search engine vulnerabilities could allow remote access to the web-server as the user that the server is running as.

tags | exploit, remote, web, vulnerability
SHA-256 | f75207bdf0bb630971ee22f8779e0481275d7ec3151049205ff9b917e21ca0b5

swish-E.txt

Change Mirror Download
Date: Mon, 9 Nov 1998 22:00:33 +0100
From: Job de Haas <job@ITSX.COM>
To: BUGTRAQ@netspace.org
Subject: Vulnerabilities with Swish


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

While installing the Swish search engine (http://sunsite.berkeley.edu/SWISH-E)
at our site (http://www.itsx.com) we discovered several (potential)
vulnerabilities. Swish-e and the accompanying configuration package AutoSwish
contain vulnerabilities in the source code of the indexer, in an example perl
script and in the perl scripts generated by AutoSwish for setting up an entry
form. Although the major problem is in the example script we found that
several sites use this. Also the well known nature of these issues doesn't
seem to make it less desirable to point them out (again).

Impact
------

The vulnerabilities could allow remote access to the web-server as the user
that the server is running as.

Description
-----------

1) Perl script problems

Perl scripts to interface to the indexing and search program are provided
in two fashions: as plain example scripts and auto generated by the
AutoSwish configuration tool. The example scripts are provided on the web
site for Swish ( http://sunsite.berkeley.edu/SWISH-E/Manual/webscripts.html).
The scripts call the search program with parameters in the following manner:

open(SWISH,"$swish -w $query -m $results -f $index|");

The example scripts do this without stripping the user supplied arguments of
shell meta-characters, AutoSwish generated scripts do some stripping.
Still, subversion might be possible by providing command line arguments as
search strings. This is a problem due to the way the arguments are processed
by the indexing program.

This behavior can be prevented by using exec (which enforces the query to
be a single argument) and by removing any leading dashes from the user
supplied strings.

This should possibly be something like:

$query =~ s/^-+(.*)/$1/;
$results =~ s/^-+(.*)/$1/;
open(SWISH,"-|") || exec $swish,"-w",$query,"-m",$results,"-f",$index;


2) Buffer overflows

The code of the actual index and search program contains numerous buffer
overflows. These are too superfluous to mention. For the arguments these can
be circumvented by doing some preliminary limitation on the size of these
user supplied arguments. The following will allow you to keep using the
binaries you have:

$query =~ s/(.{256}).*/$1/;
$results =~ s/(.{256}).*/$1/;

Of course limiting the allowable characters in the query also severely limits
the possibilities for exploiting an overflow. We have not fully evaluated what
the impact could be when a user has control over the files being indexed.

Solution
--------

Make sure that the program executing the index program 'swish' does not
perform argument expansion and meta-character interpretation in a shell,
disallows user supplied arguments starting with a dash and limits the
arguments to safe lengths (no larger than 1000 bytes). A proposed patch is
attached below.

Relevant information concerning security issues while programming for web
sites can be found at http://www.w3.org/Security/Faq/www-security-faq.html


Job

--------------------------
Job de Haas | job@itsx.com
ITSX | http://www.itsx.com


Patch for samplescript:
===========================

--- samplescript Tue Sep 29 14:01:35 1998
+++ samplescript.new Mon Nov 2 22:27:46 1998
@@ -72,7 +72,11 @@

$count=0;

-open(SWISH, "$swish -w $query -m $results -f $index|");
+# Remove leading dashes and limit to 256 characters
+$query =~ s/^-+(.*)/$1/;
+$results =~ s/^-+(.*)/$1/;
+$query =~ s/(.{256}).*/$1/;
+$results =~ s/(.{256}).*/$1/;
+open(SWISH,"-|") || exec $swish,"-w",$query,"-m",$results,"-f",$index;

#Check for errors

============================



-----BEGIN PGP SIGNATURE-----
Version: PGP 5.0i

iQA/AwUBNkdVaEkv/Q0TLteWEQKbhwCglavJWSnPZA3EXavd7uwNAKEmVW4AoOve
wyH89An7Xpslf46KooGvGxyQ
=dPji
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close