COMMAND

    Verity/Search'97

SYSTEMS AFFECTED

    Systems running Verity/Search'97

PROBLEM

    Stefan Arentz found following.  There are two major security holes
    in the Verity/Search'97 software.   The first one is a  simple CGI
    hack that allows  anybody with permission  to execute the  s97_cgi
    CGI script to look at files on the webserver.  The second security
    problem is an authorization problem with the tasmgr application.

    The s97_cgi  and s97r_cgi  programs provide  an interface  for web
    based applications to the Verity search engine. These two programs
    typically handle search  queries and showing  the result of  those
    queries.  One of the parameters to the script is one in which  you
    specify the  name of  a template  file that  is used  to show  the
    result of the search query.  This path is relative to a  directory
    that you have to specify in the Verity configuration files.

    The problem is that this template pathname is appended to the base
    directory name  without proper  checking of  this path  for ..  or
    %2e%2e.   This  means  that  it's  possible  to  jump  out  of the
    templates  directory  and  use  any  file  on the Verity host as a
    result template.  It  will be send back  to the client browser  in
    it's original  form or  with minor  modifications if  it contained
    any valid HTMLscript tags (Verity's script language).

    Sample query:

	http://www.xxx.com/search97.vts
	  ?HLNavigate=On&querytext=dcm
	  &ServerKey=Primary
	  &ResultTemplate=../../../../../../../etc/passwd
	  &ResultStyle=simple
	  &ResultCount=20
	  &collection=books

    Please note that only files can be read for which the owner of the
    webserver process has permission.

    The tasmgr process, part of the Agent Server, listens on port 1972
    for  administrative  commands.   Unfortunatly  this  requires   no
    authorization at  all, so  anybody can  start and  stop your agent
    processes:

	Connected to search97.xxx
	Escape character is '^]'.
	0 Verity dcm ready
	list
	0 TAS-Primary
	status tas-primary
	0 TYPE=PROCESS; STATE=RUNNING; STARTUP=AUTO_START; PID=87632
	stop tas-primary
	0 'tas-primary' signalled
	status tas-primary
	0 TYPE=PROCESS; STATE=STOPPING; STARTUP=AUTO_START; PID=87632
	where
	0 /home/verity/_hpux10/bin/dcm.cfg

SOLUTION

    Verity recommends  that all  current users  of Verity  Information
    Server v3.1 download and install the patch.  Both issues have been
    addressed and the fixes are available immediately through Verity's
    Technical  Support  group.   Patch  information  and downloads for
    Information Server 3.1 are available at:

        https://customers.verity.com/products/server/310/patches/

    Joe D'Andrea from AT&T Laboratories made a SearchScript workaround
    which is tested it under Search'97  IS 2.1 (for which there is  no
    patch  yet).  How  it  works:  If  you  see  ".."  anywhere in the
    ResultTemplate  or  "/"  at  the  start  of it, then it will reset
    QueryText and ResultTemplate right away.  Downstream, it looks for
    blank queries and, if it finds any, it just pretend that no search
    was performed and show the default search page again.  Patch:

         <% if (InStr(Request.ResultTemplate, "..") > 0) OR
        (InStr(Request.ResultTemplate, "/") = 1) Then %>
          <% Request.QueryText = "" %>
          <% Request.ResultTemplate = "" %>
         <% endif %>