security hole in swais, FYI
Marten Terpstra
Marten.Terpstra at ripe.net
Tue Sep 1 13:46:22 UTC 1992
Brewster Kahle <brewster at Think.COM> writes:
*
* Scott,
*
* There seems to be a problem with swais, could you please explain?
*
* We have been running it under a chroot for over a year now with no known
* problems. I am the project leader of WAIS and oversaw its development, so
* I would like to make sure this problem is understood and extinguished.
*
* John Curran of NNSC wrote the original version, Jonathan has been the
* maintainer of it and extender.
*
* Just to take a guess, are you running it for public login without doing a
* chroot?
*
* -brewster
Hi all,
Mark Kosters from GSI notified us of the problem. Using swais you can pipe
the output of a search into any command. You can do this by typing 'c' or '|'
on the output of a search.
Since we are running swais as a public service for people without their own
wais client this can be quite harmful. Mark demonstrated that he could start
a shell, list /etc/passwd and so on.
We are running swais under userID nobody, so too much harm cannot be done,
but still, we decided to disable the 'c' and '|' keys as commands.
We are running the thing without a chroot though.
The offending parts can be found in screen_ui.c. This is however with
wais-8-b4, don't know about b5.
Commenting out:
case '|' : ;
case 'c' : pipe_command(question);
state=UNKNOWN;
return(SHOWRESULTS);
in screen_ui.c does the trick, as far as we can see.
It would be nice if there was a compile time option to switch to swais in
"safe" mode, like some pagers have.
Also if you are offering this as a public service, make sure that the pipe
commands and shell escapes in the pager swais uses are disabled ...
Cheers,
-Marten
------------------------------------------------------------------------------
Marten Terpstra | RIPE Network Coordination Centre
phone: +31 20 592 5065 | PO BOX 41882,
fax: +31 20 592 5090 | NL-1098 SJ Amsterdam,
Internet: marten at ripe.net | The Netherlands
------------------------------------------------------------------------------
More information about the NANOG
mailing list