security hole in swais, FYI

Marten Terpstra Marten.Terpstra at
Tue Sep 1 13:46:22 UTC 1992

 Brewster Kahle <brewster at Think.COM> writes:
  * Scott,
  * There seems to be a problem with swais, could you please explain?
  * We have been running it under a chroot for over a year now with no known
  * problems.  I am the project leader of WAIS and oversaw its development, so
  * I would like to make sure this problem is understood and extinguished.
  * John Curran of NNSC wrote the original version, Jonathan has been the
  * maintainer of it and extender.
  * Just to take a guess, are you running it for public login without doing a
  * chroot?
  * -brewster

Hi all,

Mark Kosters from GSI notified us of the problem. Using swais you can pipe
the output of a search into any command. You can do this by typing 'c' or '|'
on the output of a search.

Since we are running swais as a public service for people without their own
wais client this can be quite harmful. Mark demonstrated that he could start
a shell, list /etc/passwd and so on.

We are running swais under userID nobody, so too much harm cannot be done,
but still, we decided to disable the 'c' and '|' keys as commands.
We are running the thing without a chroot though.

The offending parts can be found in screen_ui.c. This is however with
wais-8-b4, don't know about b5.

Commenting out:

            case '|'  : ;
            case 'c'  : pipe_command(question);

in screen_ui.c does the trick, as far as we can see.
It would be nice if there was a compile time option to switch to swais in
"safe" mode, like some pagers have.

Also if you are offering this as a public service, make sure that the pipe
commands and shell escapes in the pager swais uses are disabled ...


     Marten Terpstra		|        RIPE Network Coordination Centre
 phone: +31 20 592 5065		|	          PO BOX 41882,
  fax:  +31 20 592 5090		|	     NL-1098 SJ  Amsterdam,
Internet: marten at	|                The Netherlands

More information about the NANOG mailing list