Re: Verity/Search'97 Security Problems

[jdandrea () FULLER IMS ATT COM (Joe D'Andrea)]

> On Mon, 20 Jul 1998, Joe D'Andrea wrote:
>
> Regarding the infamous ResultTemplate security hole where you can supply
> something like ../../../../../../../etc/passwd in the URL and GET it,
> here's a SearchScript workaround I just dreamed up using filtered searches:
>
>  <% if (InStr(Request.ResultTemplate, "..") > 0) OR
> (InStr(Request.ResultTemplate, "/") = 1) Then %>
>   <% Request.QueryText = "" %>
>   <% Request.ResultTemplate = "" %>
>  <% endif %>
>
> If anyone sees any holes in this that I haven't covered, PLEASE speak up.

Big-time thanks to those who responded. Here are the issues raised:

   Q: What if, instead of ../,  you throw in stuff like %2e%2e%2f ?
   A: Doesn't seem to matter in IS 2.1. ResultTemplate is already "decoded"
      by the time it reaches the filter.

   Q: What if someone inserts an escape character of some sort into the
      query, perhaps causing ASP to break out of the InStr and allow the
      malicious query to be executed?
   A: Good question. I take this to mean Active Server Pages. If someone is
      using ASP and wants to test this on their own system ... <grin>.

   Q: Does Netscape Catalog Server (which uses Verity search technology),
      have the same vulnerability?
   A: It might, but I don't have Catalog Server so I can't test it.
      Surely a fun assignment if anyone wants to try. I think Netscape
      Enterprise Server also has some form of Verity technology, but I
      do not know if it's based on Search'97 IS.

   Q: What if someone alters or recodes the request to not use filtersearch?
   A: Ack, you just found a shortcoming! Congrats. Hey, that's why I posted
      the message to BUGTRAQ, to ask for a reality check. Here it is.

So how to handle this last gotcha? It's true that there is a results
formatting parameter in IS 2.x and 3.x called SearchAction.

The documentation reads:

 "Internal Use Only. Designates the SEARCHScript action to use in creating
 page URLs. Specify in [Common], [Server], or [SearchDefaults] section of
 configuration file."

(Right. So let me get this straight. It's for internal use only, but it's
documented as if I can set it anyway ... or perhaps I'm misreading it.)

Actually, it's a moot point if all this does is set a DEFAULT action.
If I can still put action=search in the URL and avoid filtered searches
then all bets are off. I have a call in to Verity to check on this.

--
Joe D'Andrea                                    AT&T Laboratories
-----------------------------------------------------------------
PGP Fingerprint: DF 7C 75 57 28 ED 52 7F  5B 77 A7 32 C8 9E 0C D2