[COVERT-2000-08] O'Reilly WebSite Professional Overflow

[seclabs () NAI COM (COVERT Labs)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_____________________________________________________________________

                     Network Associates, Inc.
                  COVERT Labs Security Advisory
                          July 19, 2000

              O'Reilly WebSite Professional Overflow

                         COVERT-2000-08
______________________________________________________________________

o Synopsis

The indexing utility webfind.exe distributed with O'Reilly WebSite
Professional contains an unchecked buffer allowing for the remote
execution of arbitrary code on vulnerable hosts.

RISK FACTOR: HIGH

______________________________________________________________________

o Vulnerable Systems

O'Reilly WebSite Professional version 2.x for Windows 9x/NT/2000.

______________________________________________________________________

o Vulnerability Information

WebSite Professional contains two utilities, webindex and webfind,
that provide full-text search capabilities for a WebSite server.
Webindex provides a walkthrough wizard to create a new index,
reconfigure an existing one or delete an old one.  Webfind is the
CGI program that searches the indexes created by Webindex.

Webfind displays a search form for the user to complete, then
executes the search.  The webfind search form takes a user-defined
string, adding it to the "keywords" parameter of the QUERY_STRING in
the web request.

Passing a long request to the "keywords" parameter overwrites the
stack with user defined data allowing the execution of arbitrary code
on the remote host.

______________________________________________________________________

o Resolution

O'Reilly has corrected this issue in WebSite Professional 2.5, which
is now available from:  http://website.oreilly.com

______________________________________________________________________

o Credits

This vulnerability was discovered by Barnaby Jack at the COVERT Labs
of PGP Security, Inc.

______________________________________________________________________

o Contact Information

For more information about the COVERT Labs at PGP Security, visit our
website at http://www.nai.com/covert or send e-mail to covert () nai com

______________________________________________________________________

o  Legal Notice

The information contained within this advisory is Copyright (C) 2000
Networks Associates Technology Inc.  It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.

Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries.  All other registered and unregistered
trademarks in this document are the sole property of their respective
owners.

______________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBOXYVjaF4LLqP1YESEQJHgQCg0DAeyxVRAbgQ4KmjfjZHdWfT4UcAoN2H
5rXy5v3NlVhnw2h9euiMVqJr
=WYa4
-----END PGP SIGNATURE-----