Bugtraq mailing list archives

Re: CGI security hole in EWS (Excite for Web Servers)

From: len () COGENT NET (Len Charest)
Date: Thu, 18 Dec 1997 13:10:08 -0800

Note that architext_query.pl contains a subroutine named execSubprocess
(at line 141 in my copy of the code). It looks like a good candidate to
replace the open(X, "cmd |") idiom that permeates the EWS perl code.

Below is a context diff (with tabs replaced by spaces) for architext_query.pl with execSubprocess() used in place of 
open() in 2 locations. This code is UNTESTED.

Note that $maximum_query_time is normally defined in afeatures.pl. In the original distribution it is commented out.

Note also that convert_file_names() is unnecessary on UNIX systems.

# diff -c -t architext_query.pl.orig*
*** architext_query.pl.orig     Tue Jan 28 17:36:18 1997
--- architext_query.pl.orig+patch       Thu Dec 18 13:00:53 1997
***************
*** 196,208 ****
          $query = "(concept $query)";
      }

      ## do the search
!     $timeout = "-to $maximum_query_time" if $maximum_query_time;
!     $qcommand = "$queryprog -C $configfile $timeout -q \"$query\" -num $max_docs_to_return $syntax_flag";
!     $qcommand = &convert_file_names($qcommand);
      ## print $qcommand;
!         if (open(QUERY, "$qcommand |")) {
!         ## Accumulate the results.
          while (<QUERY>) {
              chop;
              if (/^ARCHITEXTERROR:/) {
--- 196,221 ----
          $query = "(concept $query)";
      }

+     # ----- COGENT -----
      ## do the search
!     # $timeout = "-to $maximum_query_time" if $maximum_query_time;
!     # $qcommand = "$queryprog -C $configfile $timeout -q \"$query\" -num $max_docs_to_return $syntax_flag";
!     # $qcommand = &convert_file_names($qcommand);
      ## print $qcommand;
!     # if (open(QUERY, "$qcommand |")) {
!     ## Accumulate the results.
!
!     # this is an absolute waste of time under UNIX
!     # &convert_file_names($queryprog);
!     # &convert_file_names($configfile);
!
!     my @timeout = ();
!     @timeout = ('-to', $maximum_query_time) if $maximum_query_time;
!
!     &execSubprocess(*QUERY, *QUERY_ERR, $queryprog, '-C', $configfile,
!                     @timeout, '-q', $query, '-num', $max_docs_to_return,
!                     $syntax_flag);
!
          while (<QUERY>) {
              chop;
              if (/^ARCHITEXTERROR:/) {
***************
*** 213,222 ****
              $results = 1 if /\S/;
              push(@queryresult, $_);
          }
-     } else {
-         $errstr = "Couldn't run search program.";
-     }


      if (!$results && !$errstr) {
          $errstr =  "<p><b>No documents found.</b>";
--- 226,240 ----
              $results = 1 if /\S/;
              push(@queryresult, $_);
          }

+         ## Errors to $errstr.
+         while (<QUERY_ERR>) {
+             $errstr .= $_;
+         }
+
+     # } else {
+     #     $errstr = "Couldn't run search program.";
+     # }

      if (!$results && !$errstr) {
          $errstr =  "<p><b>No documents found.</b>";
***************
*** 559,569 ****

      $urledit = $form{'urledit'};

!     $timeout = "-to $maximum_query_time" if $maximum_query_time;
!     $qcommand = "$queryprog -C $configfile $timeout -q \"$query\"";
!     $qcommand = &convert_file_names($qcommand);

!     if (open(QUERY, "$qcommand |")) {

      $groupnum = 0;
      $totalarts = 0;
--- 577,598 ----

      $urledit = $form{'urledit'};

!     # ----- COGENT -----
!     # $timeout = "-to $maximum_query_time" if $maximum_query_time;
!     # $qcommand = "$queryprog -C $configfile $timeout -q \"$query\"";
!     # $qcommand = &convert_file_names($qcommand);
!
!     # if (open(QUERY, "$qcommand |")) {
!
!     # this is an absolute waste of time under UNIX
!     # &convert_file_names($queryprog);
!     # &convert_file_names($configfile);
!
!     my @timeout = ();
!     @timeout = ('-to', $maximum_query_time) if $maximum_query_time;

!     &execSubprocess(*QUERY, *QUERY_ERR, $queryprog, '-C', $configfile,
!                     @timeout, '-q', $query);

      $groupnum = 0;
      $totalarts = 0;
***************
*** 634,642 ****
          }
      }

! } else {
!     $errstr = "Couldn't run search program.";
! }

      if ($errstr =~ /\S/) {
          return $errstr unless ($errstr =~ /^ld\.so/); ## ignore ld runtime
--- 663,676 ----
          }
      }

!     ## Errors to $errstr.
!     while (<QUERY_ERR>) {
!         $errstr .= $_;
!     }
!
!     # } else {
!     #     $errstr = "Couldn't run search program.";
!     # }

      if ($errstr =~ /\S/) {
          return $errstr unless ($errstr =~ /^ld\.so/); ## ignore ld runtime

--
Len Charest                                         len () cogent net
Senior Software Engineer                              818-585-2788
Cogent Software, Inc.                       http://www.cogent.net/
Current thread:

Re: CGI security hole in EWS (Excite for Web Servers) Marc Merlin (Dec 18)
- <Possible follow-ups>
- Re: CGI security hole in EWS (Excite for Web Servers) Len Charest (Dec 18)