Re: Verity/Search'97 Security Problems

To: BUGTRAQ@xxxxxxxxxxxx
Subject: Re: Verity/Search'97 Security Problems
From: "Joe D'Andrea" <jdandrea@xxxxxxxxxxxxxxxxxx>
Date: Mon, 20 Jul 1998 17:46:18 -0400
Approved-by: aleph1@DFW.NET
Organization: AT&T Laboratories
Reply-to: jdandrea@xxxxxxx
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxx>

Regarding the infamous ResultTemplate security hole where you can supply
something like ../../../../../../../etc/passwd in the URL and GET it,
here's a SearchScript workaround I just dreamed up using filtered searches:

 <% if (InStr(Request.ResultTemplate, "..") > 0) OR
(InStr(Request.ResultTemplate, "/") = 1) Then %>
  <% Request.QueryText = "" %>
  <% Request.ResultTemplate = "" %>
 <% endif %>

If anyone sees any holes in this that I haven't covered, PLEASE speak up.

I've tested it under Search'97 IS 2.1 (which we use, and for which there
is no patch yet). How it works: If I see ".." anywhere in the ResultTemplate
or "/" at the start of it, then I reset QueryText and ResultTemplate right
away. Downstream, I look for blank queries and, if I find any, I just pretend
that no search was performed and show the default search page again.

I've informed Verity Technical Support of this workaround as well.

Please feel free to write me with any questions pertaining to the
above snippet.


--
Joe D'Andrea                                    AT&T Laboratories
-----------------------------------------------------------------
PGP Fingerprint: DF 7C 75 57 28 ED 52 7F  5B 77 A7 32 C8 9E 0C D2

Prev by Date: Re: On compilers and bounds checking (was: EMERGENCY: new remote root exploit in UW imapd)
Next by Date: Re: Bounds checking - historical aside
Previous by thread: Verity/Search'97 Security Problems
Next by thread: Re: Verity/Search'97 Security Problems
Index(es):
- Date
- Thread