Skip to main content.
home | support | download

Back to List Archive

Re: Vulnerabilities with Swish

From: Roy Tennant <rtennant(at)not-real.library.berkeley.edu>
Date: Tue Nov 10 1998 - 21:56:00 GMT
By the way, AutoSwish is no longer available. It has been removed from
distribution until we can find the time to rebuild it or until someone
else steps forward and does it. I still believe that we need this
application, or something very much like it, but I see no alternative
until the time can be found to deal with the changes that need to be made.
Roy Tennant
SWISH-E Manager

On Tue, 10 Nov 1998, Job de Haas wrote:

> Hello,
> 
> While installing the Swish search engine (http://sunsite.berkeley.edu/SWISH-E)
> at our site (http://www.itsx.com) we discovered several (potential) 
> vulnerabilities. Swish-e and the accompanying configuration package AutoSwish
> contain vulnerabilities in the source code of the indexer, in an example perl
> script and in the perl scripts generated by AutoSwish for setting up an entry
> form. Although the major problem is in the example script we found that 
> several sites use this. Also the well known nature of these issues doesn't
> seem to make it less desirable to point them out (again).
> 
> Impact
> ------
> 
> The vulnerabilities could allow remote access to the web-server as the user
> that the server is running as.
> 
> Description
> -----------
> 
> 1) Perl script problems
> 
> Perl scripts to interface to the indexing and search program are provided
> in two fashions: as plain example scripts and auto generated by the 
> AutoSwish configuration tool.  The example scripts are provided on the web
> site for Swish ( http://sunsite.berkeley.edu/SWISH-E/Manual/webscripts.html).
> The scripts call the search program with parameters in the following manner:
> 
> 	open(SWISH,"$swish -w $query -m $results -f $index|");
> 
> The example scripts do this without stripping the user supplied arguments of 
> shell meta-characters, AutoSwish generated scripts do some stripping.
> Still, subversion might be possible by providing command line arguments as
> search strings. This is a problem due to the way the arguments are processed
> by the indexing program.
> 
> This behavior can be prevented by using exec (which enforces the query to
> be a single argument) and by removing any leading dashes from the user 
> supplied strings.
> 
> This should possibly be something like:
> 
> 	$query =~ s/^-+(.*)/$1/;
> 	$results =~ s/^-+(.*)/$1/;
>         open(SWISH,"-|") || exec $swish,"-w",$query,"-m",$results,"-f",$index;
> 
> 
> 2) Buffer overflows
> 
> The code of the actual index and search program contains numerous buffer
> overflows. These are too superfluous to mention. For the arguments these can
> be circumvented by doing some preliminary limitation on the size of these 
> user supplied arguments. The following will allow you to keep using the 
> binaries you have:
> 
> 	$query =~ s/(.{256}).*/$1/;
> 	$results =~ s/(.{256}).*/$1/;
> 
> Of course limiting the allowable characters in the query also severely limits
> the possibilities for exploiting an overflow. We have not fully evaluated what
> the impact could be when a user has control over the files being indexed.
> 
> Solution
> --------
> 
> Make sure that the program executing the index program 'swish' does not
> perform argument expansion and meta-character interpretation in a shell,
> disallows user supplied arguments starting with a dash and limits the 
> arguments to safe lengths (no larger than 1000 bytes). A proposed patch is 
> attached below.
> 
> Relevant information concerning security issues while programming for web 
> sites can be found at http://www.w3.org/Security/Faq/www-security-faq.html
> 
> 
> Job
> 
> --------------------------
> Job de Haas | job@itsx.com
> ITSX | http://www.itsx.com
> 
> 
> Patch for samplescript:
> ===========================
> 
> --- samplescript        Tue Sep 29 14:01:35 1998
> +++ samplescript.new    Mon Nov  2 22:27:46 1998
> @@ -72,7 +72,12 @@
>  
>  $count=0;
>  
> -open(SWISH, "$swish -w $query -m $results -f $index|");
> +# Remove leading dashes and limit to 256 characters
> +$query =~ s/^-+(.*)/$1/;
> +$results =~ s/^-+(.*)/$1/;
> +$query =~ s/(.{256}).*/$1/;
> +$results =~ s/(.{256}).*/$1/;
> +open(SWISH,"-|") || exec $swish,"-w",$query,"-m",$results,"-f",$index;
>  
>  #Check for errors
> 
> ============================
> 
> 
Received on Tue Nov 10 14:02:57 1998