=============================================================================
CERT* Vendor-Initiated Bulletin VB-97.13
November 14, 1997
Topic: Vulnerability in GlimpseHTTP and WebGlimpse CGI scripts
Source: Project FUSE, University of Arizona
Related CERT documents:
ftp://ftp.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar
ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters
To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Project FUSE,
University of Arizona. Project FUSE urges you to act on this information as
soon as possible. Project FUSE contact information is included in the
forwarded text below; please contact them if you have any questions or need
further information.
Please note that there is related information about these vulnerabilities in
AUSCERT Advisory AA-97.28, "Vulnerability in GlimpseHTTP and WebGlimpse
cgi-bin Packages", available from
ftp.auscert.org.au/pub/auscert/advisory/AA-97.28.GlimpseHTTP.WebGlimpse.vuls
=======================FORWARDED TEXT STARTS HERE============================
Problem: Vulnerability in GlimpseHTTP 2.0 and
WebGlimpse versions prior to 1.5
I. Description
A vulnerability exists in the GlimpseHTTP web search package. A related
vulnerability exists in the WebGlimpse web search package prior to version
1.5 (the latest version). These packages are popular collections of tools
that provide easy-to-use interface to Glimpse, an indexing and query
system, to provide a search facility on web sites.
Due to insufficient argument checking by some of GlimpseHTTP and older
WebGlimpse routines, intruders may be able to force it to execute arbitrary
commands with the privileges of the httpd process. Attacks against
GlimpseHTTP using these vulnerabilities have been reported.
Similar attacks have been reported on other scripts, and it is a good idea
now to check all your CGI scripts. For more information see
ftp://info.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar
ftp://info.cert.org/pub/tech_tips/cgi_metacharacters
To check whether exploitation of this vulnerability has been attempted at
your site, search for unusual accesses to aglimpse in your access logs.
An example of how to do this is:
# egrep 'aglimpse.*IFS' {WWW_HOME}/logs/access_log
Where {WWW_HOME} is the base directory for your web server.
If this command returns anything, further investigation is necessary.
Up-to-date information regarding these vulnerabilities can be obtained from
the authors of GlimpseHTTP and WebGlimpse at
http://glimpse.cs.arizona.edu/security.html
Although the attacks against GlimpseHTTP have focused on version 2.0,
similar attacks may be possible on earlier versions.
II. Impact
Remote users may be able to execute arbitrary commands with the privileges
of the httpd process which answers HTTP requests. This may be used to
compromise the http server and under certain configurations gain privileged
access. Current attacks concentrated on obtaining the /etc/passwd file on
systems that do not provide shadow passwords.
III. Solution
The authors have decided to stop supporting GlimpseHTTP, and instead have
released a new version (1.5) of WebGlimpse, which has most of the features
of GlimpseHTTP and many more.
Users of any version GlimpseHTTP are encouraged to upgrade to the new
WebGlimpse. Users of earlier versions of WebGlimpse are also encouraged to
upgrade, as version 1.5 is more robust and more secure. WebGlimpse can be
found at http://glimpse.cs.arizona.edu/webglimpse/
For sites that cannot immediately install the current version of
WebGlimpse, it is recommended that you disable the version of GlimpseHTTP
or WebGlimpse you are using and use another script to interface to Glimpse.
Questions to the authors can be directed to glimpse@cs.arizona.edu
========================FORWARDED TEXT ENDS HERE=============================
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST). See http://www.first.org/team-info/.
We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT_PGP.key
CERT Contact Information
- - ------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
CERT publications, information about FIRST representatives, and other
security-related information are available from
http://www.cert.org/
ftp://ftp.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
* Registered U.S. Patent and Trademark Office.
The CERT Coordination Center is part of the Software Engineering
Institute (SEI). The SEI is sponsored by the U. S. Department of Defense.
This file:
ftp://ftp.cert.org/pub/cert_bulletins/VB-97.13.GlimpseHTTP.WebGlimpse
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNGzA2HVP+x0t4w7BAQFkxQP/dM5at0WZUagXtSh++qHoLNQgxbV9uITY
HmIKiitRLq4WegFOEwoMeJCTQW3YwsnPuvEw+XY92cUNgmYuDeZKcXE9RXKHZ6df
Ozg2a7iXke0THhYNxozzdj2WKBzfrC9aVL3BpiR7WLD1eIRzL2gmVC2iggcA22U1
Ow4SBS6caUY=
=B4Ri
-----END PGP SIGNATURE-----