> On Mon, 20 Jul 1998, Joe D'Andrea wrote: > > Regarding the infamous ResultTemplate security hole where you can supply > something like ../../../../../../../etc/passwd in the URL and GET it, > here's a SearchScript workaround I just dreamed up using filtered searches: > > <% if (InStr(Request.ResultTemplate, "..") > 0) OR > (InStr(Request.ResultTemplate, "/") = 1) Then %> > <% Request.QueryText = "" %> > <% Request.ResultTemplate = "" %> > <% endif %> > > If anyone sees any holes in this that I haven't covered, PLEASE speak up. Big-time thanks to those who responded. Here are the issues raised: Q: What if, instead of ../, you throw in stuff like %2e%2e%2f ? A: Doesn't seem to matter in IS 2.1. ResultTemplate is already "decoded" by the time it reaches the filter. Q: What if someone inserts an escape character of some sort into the query, perhaps causing ASP to break out of the InStr and allow the malicious query to be executed? A: Good question. I take this to mean Active Server Pages. If someone is using ASP and wants to test this on their own system ... <grin>. Q: Does Netscape Catalog Server (which uses Verity search technology), have the same vulnerability? A: It might, but I don't have Catalog Server so I can't test it. Surely a fun assignment if anyone wants to try. I think Netscape Enterprise Server also has some form of Verity technology, but I do not know if it's based on Search'97 IS. Q: What if someone alters or recodes the request to not use filtersearch? A: Ack, you just found a shortcoming! Congrats. Hey, that's why I posted the message to BUGTRAQ, to ask for a reality check. Here it is. So how to handle this last gotcha? It's true that there is a results formatting parameter in IS 2.x and 3.x called SearchAction. The documentation reads: "Internal Use Only. Designates the SEARCHScript action to use in creating page URLs. Specify in [Common], [Server], or [SearchDefaults] section of configuration file." (Right. So let me get this straight. It's for internal use only, but it's documented as if I can set it anyway ... or perhaps I'm misreading it.) Actually, it's a moot point if all this does is set a DEFAULT action. If I can still put action=search in the URL and avoid filtered searches then all bets are off. I have a call in to Verity to check on this. -- Joe D'Andrea AT&T Laboratories ----------------------------------------------------------------- PGP Fingerprint: DF 7C 75 57 28 ED 52 7F 5B 77 A7 32 C8 9E 0C D2
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:07:19 PDT