Bugtraq mailing list archives
Re: Verity/Search'97 Security Problems
From: jdandrea () FULLER IMS ATT COM (Joe D'Andrea)
Date: Mon, 20 Jul 1998 17:46:18 -0400
Regarding the infamous ResultTemplate security hole where you can supply something like ../../../../../../../etc/passwd in the URL and GET it, here's a SearchScript workaround I just dreamed up using filtered searches: <% if (InStr(Request.ResultTemplate, "..") > 0) OR (InStr(Request.ResultTemplate, "/") = 1) Then %> <% Request.QueryText = "" %> <% Request.ResultTemplate = "" %> <% endif %> If anyone sees any holes in this that I haven't covered, PLEASE speak up. I've tested it under Search'97 IS 2.1 (which we use, and for which there is no patch yet). How it works: If I see ".." anywhere in the ResultTemplate or "/" at the start of it, then I reset QueryText and ResultTemplate right away. Downstream, I look for blank queries and, if I find any, I just pretend that no search was performed and show the default search page again. I've informed Verity Technical Support of this workaround as well. Please feel free to write me with any questions pertaining to the above snippet. -- Joe D'Andrea AT&T Laboratories ----------------------------------------------------------------- PGP Fingerprint: DF 7C 75 57 28 ED 52 7F 5B 77 A7 32 C8 9E 0C D2
Current thread:
- Verity/Search'97 Security Problems Stefan Arentz (Jul 14)
- <Possible follow-ups>
- Re: Verity/Search'97 Security Problems Lloyd Vancil (Jul 16)
- Re: Verity/Search'97 Security Problems Jay Soffian (Jul 16)
- Re: Verity/Search'97 Security Problems Jay Soffian (Jul 16)
- Re: Verity/Search'97 Security Problems Joe D'Andrea (Jul 20)
- Re: Verity/Search'97 Security Problems Joe D'Andrea (Jul 22)