To Whom It May Concern: This is in response to the recent posting on the BUGTRAQ list server concerning security issues with Verity's SEARCH'97 Information Server. Verity, Inc. takes security issues very seriously and we have moved quickly to make a patch release available that addresses these concerns. Verity recommends that all current users of Verity Information Server v3.1 download and install the patch. Both issues have been addressed and the fixes are available immediately through Verity's Technical Support group. While there are ways to configure your web server to protect against both issues, the solution being made available by Verity is implemented in the applications. This is the preferred method to address the problem. Patch information and downloads for Information Server 3.1 are available at: https://customers.verity.com/products/server/310/patches/ The problems: The DCM application, which listens to a particular port, did not require authentication. The daemon now restricts connections to localhost (IP address 127.0.0.1). The port number of the application can also be changed. If you are running the DCM daemon behind a firewall, you should assign a port that is below the firewall restricted ports threshold. The result template variable was allowing users to substitute any file on the system using a relative path. This could provide access to any file on the system that the user account running the HTTP server had permission to read. The result template issue has been addressed by blocking the use of templates from anything other than result template directories registered in the Information Server. In addition, it is advised that you do not run the HTTP server on a system using an account with high privileges. For further details, please contact Verity Technical Support at (403) 294-1107 or mailto:tech-supportat_private Sincerely, Ron Calhoun Director, Server Applications Verity, Inc.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:55 PDT