[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : CGI Security Hole in EWS1.1

Title: CGI Security Hole in EWS1.1
Released by: EXCITE
Date: 16th January 1998
Printable version: Click here
Topic: CGI Security Hole in EWS1.1

Source: Excite, Inc.

               555 Broadway, Redwood City, CA 94063


Problem: Vulnerability in EWS1.1, Unix and Windows NT platforms

I. Description

Excite for Web Servers, version 1.1, for Unix and Windows NT platforms,

contains a security hole that could allow a malicious user of the software

to execute shell commands on the the host system on which EWS has been

installed.  In situations where the web server is running under a user-id

with sufficient access privileges, a hacker could conceivably cause damage

to the host system.

EWS's search CGI is implemented in Perl and invokes a binary program to

actually perform the search against the corpus.  The function of the Perl

CGI is to parse the results from the search engine and render them in HTML.

This bug in no way affects Excite.com, anyone visiting or searching

Excite.com, any search boxes (for example, those on the Netscape and

Microsoft sites) that point to Excite.com, or sites that the Excite spider


II. Impact

Because a search entered by a user into the web page is passed as command

line argument to the search binary, and because the command line is

interpreted by the shell before the search binary is invoked, it is

possible for a hacker with sufficient know-how to craft a search that could

cause commands embedded in the search string to be invoked on the host


III. Solution

IMPORTANT: Please note that if you have obtained patches from Excite or a

third party site prior to 1/16/98, you do not have the most recent version

of the patch.  Please visit the patches page referenced below to obtain the

latest vresion of the patches, which have evaluated and tested internally,

as well as by CERT (http://www.cert.org).

The security hole can be corrected by replacing single Perl library file

that is part of the EWS1.1 distribution.  There are two new versions of

this file available at http://www.excite.com/navigate/patches.html.  One

version is for Unix platforms, the other is for Windows NT platforms.

Changes are confined to two subroutines within the architext_query.pl

library file.  The subroutines in question are 'MakeQuery' and


To apply the patch, simply replace the file architext_query.pl, which

appears in the 'perllib' subdirectory of the EWS installation, with one of

the files posted at the URL provided above.  Note that comments at the top

of the file indicate which operating system it is intended for, either Unix

platforms, or Windows NT platforms.

For Unix platforms, the changes made to these routines invoke the search

binaries using Perl's 'exec', which calls C's execvp(3), thus bypassing any

shell processing of the command.  By avoiding shell processing of the

command, the security hole is closed and prevents any attacks using

shell-based hacking.

It is not possible to use the same solution in the Windows NT

implementation of Perl, so the patch for Windows NT takes a different

approach, by defining a set of legal characters for a search string, and

then 'sanitizing' the string by removing any characters that are not

members of the set of legal characters.

For more information, please visit http://www.excite.com/navigate.

(C) 1999-2000 All rights reserved.