Re: Verity/Search'97 Security Problems

[lev () APPLE COM (Lloyd Vancil)]

With my setup I can see world readable files but root readable only
-/etc/shadow/-
get errors.



Verity's bug Id is 40663.  As of this AM 16 July 98, they promise patch
by end of week?


It can be worse folks.
the stuff comes off the cd owned by root.
Lots and lots of it is 0777 that does not have to be.
the only saving grace is that their scripting lang does not
directly write files.  But if the underlying webserver was misconfigured
to allow writes you could upload a cgi to the s97 bin directory then
use the engine to execute your own code... brrrrr


It is a real good idea is to make the s97 stuff is owned by the same user
as the
httpd server And to make sure that user does not have privs you haven't
thought out
carefully.  Also it would be smart to change the rest of the files to 644
or in some cases 400

L.


> I've mentioned this a couple of weeks back to Verity tech support but
> unfortunatly nothing has happened since.
>
> ++ Intro
>
> There are two major security holes in the Verity/Search'97 software.
> The first one is a simple CGI hack that allows anybody with permission
> to execute the s97_cgi CGI script to look at files on the webserver.
>
> The second security problem is an authorization problem with the tasmgr
> application.
..snip

         lev@    _/_/_/_/  _/_/_/_/  _/_/_/_/  _/      _/_/_/
searchmaster@   _/    _/  _/    _/  _/    _/  _/      _/
               _/    _/  _/_/_/_/  _/_/_/_/  _/      _/_/_/    .com
              _/_/_/_/  _/        _/        _/      _/
             _/    _/  _/        _/        _/_/_/  _/_/_/