-------- ] From: Marten Terpstra <Marten.Terpstra@ripe.net> ] Subject: Re: security hole in swais, FYI ] Date: Tue, 01 Sep 92 15:46:22 +0200 ] ] ] Hi all, ] ] Mark Kosters from GSI notified us of the problem. Using swais you can pipe ] the output of a search into any command. You can do this by typing 'c' or '|' ] on the output of a search. ] ] Since we are running swais as a public service for people without their own ] wais client this can be quite harmful. Mark demonstrated that he could start ] a shell, list /etc/passwd and so on. ] ] We are running swais under userID nobody, so too much harm cannot be done, ] but still, we decided to disable the 'c' and '|' keys as commands. ] We are running the thing without a chroot though. ] ] The offending parts can be found in screen_ui.c. This is however with ] wais-8-b4, don't know about b5. ] ] Commenting out: ] ] case '|' : ; ] case 'c' : pipe_command(question); ] state=UNKNOWN; ] return(SHOWRESULTS); ] ] in screen_ui.c does the trick, as far as we can see. ] It would be nice if there was a compile time option to switch to swais in ] "safe" mode, like some pagers have. ] ] Also if you are offering this as a public service, make sure that the pipe ] commands and shell escapes in the pager swais uses are disabled ... This is *not* a safe method for offering anonymous "wais" service. Both NNSC.NSF.NET and QUAKE.THINK.COM are running it under a "chroot" file system thereby preventing access to any files not explicitely placed in the wais user directory. SWAIS was never intended to be run as an interactive service (if it were, I would have certainly designed it differently). Instead, it is designed to be run as yet another WAIS client, under a validated user name. Making it available via telnet is something that we did to develop interest in WAIS. Please do not setup a anonymous wais account to run it unless you provide it with a restricted filesystem. Not only do the pipe and pager commands pose a threat, but it is also possible for folks to use the source routines to access files. If you need details on how to setup a seperate filesystem for providing anonymous wais service, send mail to "nnsc@nnsc.nsf.net". John Curran NSF Network Service Center