Bugtraq mailing list archives

Re: Verity/Search'97 Security Problems

From: jdandrea () FULLER IMS ATT COM (Joe D'Andrea)
Date: Mon, 20 Jul 1998 17:46:18 -0400


Regarding the infamous ResultTemplate security hole where you can supply
something like ../../../../../../../etc/passwd in the URL and GET it,
here's a SearchScript workaround I just dreamed up using filtered searches:

 <% if (InStr(Request.ResultTemplate, "..") > 0) OR
(InStr(Request.ResultTemplate, "/") = 1) Then %>
  <% Request.QueryText = "" %>
  <% Request.ResultTemplate = "" %>
 <% endif %>

If anyone sees any holes in this that I haven't covered, PLEASE speak up.

I've tested it under Search'97 IS 2.1 (which we use, and for which there
is no patch yet). How it works: If I see ".." anywhere in the ResultTemplate
or "/" at the start of it, then I reset QueryText and ResultTemplate right
away. Downstream, I look for blank queries and, if I find any, I just pretend
that no search was performed and show the default search page again.

I've informed Verity Technical Support of this workaround as well.

Please feel free to write me with any questions pertaining to the
above snippet.


--
Joe D'Andrea                                    AT&T Laboratories
-----------------------------------------------------------------
PGP Fingerprint: DF 7C 75 57 28 ED 52 7F  5B 77 A7 32 C8 9E 0C D2

Current thread:

Verity/Search'97 Security Problems Stefan Arentz (Jul 14)
- <Possible follow-ups>
- Re: Verity/Search'97 Security Problems Lloyd Vancil (Jul 16)
- Re: Verity/Search'97 Security Problems Jay Soffian (Jul 16)
- Re: Verity/Search'97 Security Problems Jay Soffian (Jul 16)
- Re: Verity/Search'97 Security Problems Joe D'Andrea (Jul 20)
- Re: Verity/Search'97 Security Problems Joe D'Andrea (Jul 22)