COMMAND
SWISH
SYSTEMS AFFECTED
Systems running Swish package
PROBLEM
Job de Haas found following. While installing the Swish search
engine (http://sunsite.berkeley.edu/SWISH-E) he discovered several
(potential) vulnerabilities. Swish-e and the accompanying
configuration package AutoSwish contain vulnerabilities in the
source code of the indexer, in an example perl script and in the
perl scripts generated by AutoSwish for setting up an entry form.
Although the major problem is in the example script we found that
several sites use this. Also the well known nature of these issues
doesn't seem to make it less desirable to point them out (again).
The vulnerabilities could allow remote access to the web-server as
the user that the server is running as.
1) Perl script problems
=======================
Perl scripts to interface to the indexing and search program are
provided in two fashions: as plain example scripts and auto
generated by the AutoSwish configuration tool. The example
scripts are provided on the web site for Swish
http://sunsite.berkeley.edu/SWISH-E/Manual/webscripts.html
The scripts call the search program with parameters in the
following manner:
open(SWISH,"$swish -w $query -m $results -f $index|");
The example scripts do this without stripping the user supplied
arguments of shell meta-characters, AutoSwish generated scripts do
some stripping. Still, subversion might be possible by providing
command line arguments as search strings. This is a problem due
to the way the arguments are processed by the indexing program.
This behavior can be prevented by using exec (which enforces the
query to be a single argument) and by removing any leading dashes
from the user supplied strings. This should possibly be something
like:
$query =~ s/^-+(.*)/$1/;
$results =~ s/^-+(.*)/$1/;
open(SWISH,"-|") || exec $swish,"-w",$query,"-m",$results,"-f",$index;
2) Buffer overflows
====================
The code of the actual index and search program contains numerous
buffer overflows. These are too superfluous to mention. For the
arguments these can be circumvented by doing some preliminary
limitation on the size of these user supplied arguments. The
following will allow you to keep using the binaries you have:
$query =~ s/(.{256}).*/$1/;
$results =~ s/(.{256}).*/$1/;
Of course limiting the allowable characters in the query also
severely limits the possibilities for exploiting an overflow. We
have not fully evaluated what the impact could be when a user has
control over the files being indexed.
SOLUTION
Make sure that the program executing the index program 'swish'
does not perform argument expansion and meta-character
interpretation in a shell, disallows user supplied arguments
starting with a dash and limits the arguments to safe lengths (no
larger than 1000 bytes). A proposed patch is attached below.
Relevant information concerning security issues while programming
for web sites can be found at
http://www.w3.org/Security/Faq/www-security-faq.html
Patch for samplescript:
--- samplescript Tue Sep 29 14:01:35 1998
+++ samplescript.new Mon Nov 2 22:27:46 1998
@@ -72,7 +72,11 @@
$count=0;
-open(SWISH, "$swish -w $query -m $results -f $index|");
+# Remove leading dashes and limit to 256 characters
+$query =~ s/^-+(.*)/$1/;
+$results =~ s/^-+(.*)/$1/;
+$query =~ s/(.{256}).*/$1/;
+$results =~ s/(.{256}).*/$1/;
+open(SWISH,"-|") || exec $swish,"-w",$query,"-m",$results,"-f",$index;
#Check for errors