[ SOURCE: http://www.secureroot.com/security/advisories/9641779141.html ]



Problem: Vulnerability in GlimpseHTTP 2.0 and

         WebGlimpse versions prior to 1.5



I. Description



A vulnerability exists in the GlimpseHTTP web search package.  A related

vulnerability exists in the WebGlimpse web search package prior to version

1.5 (the latest version).  These packages are popular collections of tools

that provide easy-to-use interface to Glimpse, an indexing and query

system, to provide a search facility on web sites.



Due to insufficient argument checking by some of GlimpseHTTP and older

WebGlimpse routines, intruders may be able to force it to execute arbitrary

commands with the privileges of the httpd process.  Attacks against

GlimpseHTTP using these vulnerabilities have been reported.



Similar attacks have been reported on other scripts, and it is a good idea

now to check all your CGI scripts.  For more information see



        ftp://info.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar

        ftp://info.cert.org/pub/tech_tips/cgi_metacharacters



To check whether exploitation of this vulnerability has been attempted at

your site, search for unusual accesses to aglimpse in your access logs.

An example of how to do this is:



# egrep 'aglimpse.*IFS' {WWW_HOME}/logs/access_log



Where {WWW_HOME} is the base directory for your web server.



If this command returns anything, further investigation is necessary.



Up-to-date information regarding these vulnerabilities can be obtained from

the authors of GlimpseHTTP and WebGlimpse at



http://glimpse.cs.arizona.edu/security.html



Although the attacks against GlimpseHTTP have focused on version 2.0,

similar attacks may be possible on earlier versions.





II. Impact



Remote users may be able to execute arbitrary commands with the privileges

of the httpd process which answers HTTP requests.  This may be used to

compromise the http server and under certain configurations gain privileged

access.  Current attacks concentrated on obtaining the /etc/passwd file on

systems that do not provide shadow passwords.





III. Solution



The authors have decided to stop supporting GlimpseHTTP, and instead have

released a new version (1.5) of WebGlimpse, which has most of the features

of GlimpseHTTP and many more.



Users of any version GlimpseHTTP are encouraged to upgrade to the new

WebGlimpse.  Users of earlier versions of WebGlimpse are also encouraged to

upgrade, as version 1.5 is more robust and more secure.  WebGlimpse can be

found at http://glimpse.cs.arizona.edu/webglimpse/



For sites that cannot immediately install the current version of

WebGlimpse, it is recommended that you disable the version of GlimpseHTTP

or WebGlimpse you are using and use another script to interface to Glimpse.



Questions to the authors can be directed to glimpse@cs.arizona.edu