**************************************************************************
Security Bulletin 9726 DISA Defense Communications System
November 15, 1997 Published by: DISN Security Coordination Center
(SCC@NIC.MIL) 1-(800) 365-3642
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil.
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Information Systems Agency's Security !
! Coordination Center distribution system as a means of !
! providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - +
=============================================================================
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
November 14, 1997
Topic: Vulnerability in GlimpseHTTP and WebGlimpse CGI scripts Source: Project FUSE, University of Arizona Related CERT documents:
ftp://ftp.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar
ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters
To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Project FUSE, University of Arizona. Project FUSE urges you to act on this information as soon as possible. Project FUSE contact information is included in the forwarded text below; please contact them if you have any questions or need further information.
Please note that there is related information about these vulnerabilities in
AUSCERT Advisory AA-97.28, "Vulnerability in GlimpseHTTP and WebGlimpse
cgi-bin Packages", available from
ftp.auscert.org.au/pub/auscert/advisory/AA-97.28.GlimpseHTTP.WebGlimpse.vuls
=======================FORWARDED TEXT STARTS HERE============================
Problem: Vulnerability in GlimpseHTTP 2.0 and
WebGlimpse versions prior to 1.5
A vulnerability exists in the GlimpseHTTP web search package. A related vulnerability exists in the WebGlimpse web search package prior to version 1.5 (the latest version). These packages are popular collections of tools that provide easy-to-use interface to Glimpse, an indexing and query system, to provide a search facility on web sites.
Due to insufficient argument checking by some of GlimpseHTTP and older WebGlimpse routines, intruders may be able to force it to execute arbitrary commands with the privileges of the httpd process. Attacks against GlimpseHTTP using these vulnerabilities have been reported.
Similar attacks have been reported on other scripts, and it is a good idea
now to check all your CGI scripts. For more information see
ftp://info.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar
ftp://info.cert.org/pub/tech_tips/cgi_metacharacters
To check whether exploitation of this vulnerability has been attempted at your site, search for unusual accesses to aglimpse in your access logs.
An example of how to do this is:
# egrep 'aglimpse.*IFS' {WWW_HOME}/logs/access_log
Where {WWW_HOME} is the base directory for your web server.
If this command returns anything, further investigation is necessary.
Up-to-date information regarding these vulnerabilities can be obtained from
the authors of GlimpseHTTP and WebGlimpse at
http://glimpse.cs.arizona.edu/security.html
Although the attacks against GlimpseHTTP have focused
on version 2.0, similar attacks may be possible on earlier versions.
Remote users may be able to execute arbitrary commands
with the privileges of the httpd process which answers HTTP requests.
This may be used to compromise the http server and under certain
configurations gain privileged access. Current attacks concentrated
on obtaining the /etc/passwd file on systems that do not provide
shadow passwords.
The authors have decided to stop supporting GlimpseHTTP, and instead have released a new version (1.5) of WebGlimpse, which has most of the features of GlimpseHTTP and many more.
Users of any version GlimpseHTTP are encouraged to upgrade to the new
WebGlimpse. Users of earlier versions of WebGlimpse are also encouraged to
upgrade, as version 1.5 is more robust and more secure. WebGlimpse can be
found at http://glimpse.cs.arizona.edu/webglimpse/
WebGlimpse, it is recommended that you disable the version of GlimpseHTTP or WebGlimpse you are using and use another script to interface to Glimpse.
========================FORWARDED TEXT ENDS HERE=============================
If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). See http://www.first.org/team-info/.
We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT_PGP.key
- - ------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
CERT publications, information about FIRST representatives, and other
security-related information are available from
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
The CERT Coordination Center is part of the Software
Engineering Institute (SEI). The SEI is sponsored by the U. S.
Department of Defense.
This file:
ftp://ftp.cert.org/pub/cert_bulletins/VB-97.13.GlimpseHTTP.WebGlimpse
****************************************************************************
* *
* *
* *
* *
* *
* *
* *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.
This document was prepared as an service to the DOD
community. Neither the United States Government nor any of their
employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed,
or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government. The
opinions of the authors expressed herein do not necessarily state
or reflect those of the United States Government, and shall not
be used for advertising or product endorsement purposes.