Someone tried today to exploit the bug here. So I also urge others to
check their access_logs if they use glimpeHTTP for their mhonarc archives.
Achim
Stephane Bortzmeyer wrote:
On Thursday 3 July 97, at 9 h 33, the keyboard of
bortzmeyer(_at_)pasteur(_dot_)fr
wrote:
[Udi: The rest of the message details the exploit, which I removed
from this broadcast message.
Since three actual attacks have already been made at Pasteur, I suggest
you check your Web servers with something like:
grep 'aglimpse.*IFS' /usr/local/etc/httpd/logs/access_log
And here's the original alert I received:
From: bortzmeyer(_at_)pasteur(_dot_)fr
To: glimpse(_at_)cs(_dot_)arizona(_dot_)edu
Cc: bortzmeyer(_at_)pasteur(_dot_)fr, udi(_at_)cs(_dot_)arizona(_dot_)edu
Subject: Fwd: SECURITY ALERT: serious bug in glimpseHTTP 2.0
Date: Thu, 03 Jul 97 09:33:53 +0200
Errors-to: glimpse-errors(_at_)cs(_dot_)arizona(_dot_)edu
This bug has been tested by me and works (glimpseHTTP 2.0).
A simple fix, which seems to work is to change the offending line to:
(around line 72 in aglimpse)
open(CONF,"/$indexdir/archive.cfg") || &err_conf;
^
Here
A better long term fix would be to run every Perl CGI with taintperl
(option -T) and to use 'use strict'). I highly recommend it.
- -----Forwarded message from Razvan Dragomirescu
<drazvan(_at_)kappa(_dot_)ro>-----
Date: Wed, 2 Jul 1997 19:32:09 +0300
Reply-To: Razvan Dragomirescu <drazvan(_at_)kappa(_dot_)ro>
Sender: Bugtraq List <BUGTRAQ(_at_)NETSPACE(_dot_)ORG>
From: Razvan Dragomirescu <drazvan(_at_)kappa(_dot_)ro>
Subject: Vulnerability in Glimpse HTTP
To: BUGTRAQ(_at_)NETSPACE(_dot_)ORG
Hi,
I'm back with another vulnerability, this time in a small utility: Glimpse
HTTP which is an interface to the Glimpse search tool. It is written in
PERL.
First my congratulations to the authors. They've done a really great job
in securing the program (really, I mean it). The hole I exploited is a
small one but it can allow you to execute any command on the remote
system (as the owner of the http server).
[Udi: The rest of the message details the exploit, which I removed
from this broadcast message.