Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

swish-E.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

Vulnerabilities in Swish search engine allow remote access via flawed Perl scripts and configuration.

Code
`Date: Mon, 9 Nov 1998 22:00:33 +0100  
From: Job de Haas <[email protected]>  
To: [email protected]  
Subject: Vulnerabilities with Swish  
  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Hello,  
  
While installing the Swish search engine (http://sunsite.berkeley.edu/SWISH-E)  
at our site (http://www.itsx.com) we discovered several (potential)  
vulnerabilities. Swish-e and the accompanying configuration package AutoSwish  
contain vulnerabilities in the source code of the indexer, in an example perl  
script and in the perl scripts generated by AutoSwish for setting up an entry  
form. Although the major problem is in the example script we found that  
several sites use this. Also the well known nature of these issues doesn't  
seem to make it less desirable to point them out (again).  
  
Impact  
------  
  
The vulnerabilities could allow remote access to the web-server as the user  
that the server is running as.  
  
Description  
-----------  
  
1) Perl script problems  
  
Perl scripts to interface to the indexing and search program are provided  
in two fashions: as plain example scripts and auto generated by the  
AutoSwish configuration tool. The example scripts are provided on the web  
site for Swish ( http://sunsite.berkeley.edu/SWISH-E/Manual/webscripts.html).  
The scripts call the search program with parameters in the following manner:  
  
open(SWISH,"$swish -w $query -m $results -f $index|");  
  
The example scripts do this without stripping the user supplied arguments of  
shell meta-characters, AutoSwish generated scripts do some stripping.  
Still, subversion might be possible by providing command line arguments as  
search strings. This is a problem due to the way the arguments are processed  
by the indexing program.  
  
This behavior can be prevented by using exec (which enforces the query to  
be a single argument) and by removing any leading dashes from the user  
supplied strings.  
  
This should possibly be something like:  
  
$query =~ s/^-+(.*)/$1/;  
$results =~ s/^-+(.*)/$1/;  
open(SWISH,"-|") || exec $swish,"-w",$query,"-m",$results,"-f",$index;  
  
  
2) Buffer overflows  
  
The code of the actual index and search program contains numerous buffer  
overflows. These are too superfluous to mention. For the arguments these can  
be circumvented by doing some preliminary limitation on the size of these  
user supplied arguments. The following will allow you to keep using the  
binaries you have:  
  
$query =~ s/(.{256}).*/$1/;  
$results =~ s/(.{256}).*/$1/;  
  
Of course limiting the allowable characters in the query also severely limits  
the possibilities for exploiting an overflow. We have not fully evaluated what  
the impact could be when a user has control over the files being indexed.  
  
Solution  
--------  
  
Make sure that the program executing the index program 'swish' does not  
perform argument expansion and meta-character interpretation in a shell,  
disallows user supplied arguments starting with a dash and limits the  
arguments to safe lengths (no larger than 1000 bytes). A proposed patch is  
attached below.  
  
Relevant information concerning security issues while programming for web  
sites can be found at http://www.w3.org/Security/Faq/www-security-faq.html  
  
  
Job  
  
--------------------------  
Job de Haas | [email protected]  
ITSX | http://www.itsx.com  
  
  
Patch for samplescript:  
===========================  
  
--- samplescript Tue Sep 29 14:01:35 1998  
+++ samplescript.new Mon Nov 2 22:27:46 1998  
@@ -72,7 +72,11 @@  
  
$count=0;  
  
-open(SWISH, "$swish -w $query -m $results -f $index|");  
+# Remove leading dashes and limit to 256 characters  
+$query =~ s/^-+(.*)/$1/;  
+$results =~ s/^-+(.*)/$1/;  
+$query =~ s/(.{256}).*/$1/;  
+$results =~ s/(.{256}).*/$1/;  
+open(SWISH,"-|") || exec $swish,"-w",$query,"-m",$results,"-f",$index;  
  
#Check for errors  
  
============================  
  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 5.0i  
  
iQA/AwUBNkdVaEkv/Q0TLteWEQKbhwCglavJWSnPZA3EXavd7uwNAKEmVW4AoOve  
wyH89An7Xpslf46KooGvGxyQ  
=dPji  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
swish search enginevulnerabilitiesremote accessperl scriptsautoswish configuration.
19