Vulnerability

    SWISH

Affected

    Systems running Swish package

Description

    Job de Haas  found following.   While installing the  Swish search
    engine (http://sunsite.berkeley.edu/SWISH-E) he discovered several
    (potential)  vulnerabilities.    Swish-e   and  the   accompanying
    configuration  package  AutoSwish  contain  vulnerabilities in the
    source code of the indexer, in  an example perl script and in  the
    perl scripts generated by AutoSwish for setting up an entry  form.
    Although the major problem is in the example script we found  that
    several sites use this. Also the well known nature of these issues
    doesn't seem to make it less desirable to point them out  (again).
    The vulnerabilities could allow remote access to the web-server as
    the user that the server is running as.

    1) Perl script problems
    =======================
    Perl scripts to interface to  the indexing and search program  are
    provided  in  two  fashions:  as  plain  example  scripts and auto
    generated  by  the  AutoSwish  configuration  tool.   The  example
    scripts are provided on the web site for Swish

        http://sunsite.berkeley.edu/SWISH-E/Manual/webscripts.html

    The  scripts  call  the  search  program  with  parameters  in the
    following manner:

        open(SWISH,"$swish -w $query -m $results -f $index|");

    The example scripts  do this without  stripping the user  supplied
    arguments of shell meta-characters, AutoSwish generated scripts do
    some stripping.  Still, subversion might be possible by  providing
    command line arguments as search  strings.  This is a  problem due
    to the way  the arguments are  processed by the  indexing program.
    This behavior can be prevented  by using exec (which enforces  the
    query to be a single argument) and by removing any leading  dashes
    from the user supplied strings.  This should possibly be something
    like:

        $query =~ s/^-+(.*)/$1/;
        $results =~ s/^-+(.*)/$1/;
        open(SWISH,"-|") || exec $swish,"-w",$query,"-m",$results,"-f",$index;

    2) Buffer overflows
    ====================
    The code of the actual index and search program contains  numerous
    buffer overflows.  These are too superfluous to mention.  For  the
    arguments  these  can  be  circumvented  by doing some preliminary
    limitation on  the size  of these  user supplied  arguments.   The
    following will allow you to keep using the binaries you have:

        $query =~ s/(.{256}).*/$1/;
        $results =~ s/(.{256}).*/$1/;

    Of  course  limiting  the  allowable  characters in the query also
    severely limits the possibilities  for exploiting an overflow.  We
    have not fully evaluated what the impact could be when a user  has
    control over the files being indexed.

Solution

    Make sure  that the  program executing  the index  program 'swish'
    does   not   perform   argument   expansion   and   meta-character
    interpretation  in  a  shell,  disallows  user  supplied arguments
    starting with a dash and limits the arguments to safe lengths  (no
    larger than  1000 bytes).   A proposed  patch is  attached  below.
    Relevant information concerning security issues while  programming
    for web sites can be found at

        http://www.w3.org/Security/Faq/www-security-faq.html

    Patch for samplescript:

    --- samplescript        Tue Sep 29 14:01:35 1998
    +++ samplescript.new    Mon Nov  2 22:27:46 1998
    @@ -72,7 +72,11 @@

     $count=0;

    -open(SWISH, "$swish -w $query -m $results -f $index|");
    +# Remove leading dashes and limit to 256 characters
    +$query =~ s/^-+(.*)/$1/;
    +$results =~ s/^-+(.*)/$1/;
    +$query =~ s/(.{256}).*/$1/;
    +$results =~ s/(.{256}).*/$1/;
    +open(SWISH,"-|") || exec $swish,"-w",$query,"-m",$results,"-f",$index;
     #Check for errors