Excite for Web Servers (EWS) is an application webmasters and web server administrators can download and install on their web servers in order to enable consumers who visit their sites to search pages resident on the site. Excite for Web Servers, version 1.1, for Unix and Windows NT platforms, contains a security hole that could allow a malicious user of the software to execute shell commands on the the host system on which EWS has been installed. In situations where the web server is running under a userid with sufficient access privileges, a hacker could conceivably cause damage to the host system.

EWS's search CGI is implemented in Perl and invokes a binary program to actually perform the search against the corpus. The function of the Perl CGI is to parse the results from the search engine and render them in HTML. Because a search entered by a user into the web page is passed as command line argument to the search binary, and because the command line is interpreted by the shell before the search binary is invoked, it is possible for a hacker with sufficient know-how to craft a search that could cause commands embedded in the search string to be invoked on the host system.

This bug in no way affects Excite.com, anyone Visiting or Searching Excite.com, any search boxes (for example, those on Netscape or Microsoft sites) that point to Excite.com, downloadable chat clients, Excite Direct, Excite Pal, or sites that the Excite spider indexes.

Suggested Patch and Procedure

The security hole can be corrected by replacing single Perl library file that is part of the EWS 1.1 distribution. There are two new versions of this file linked to below. The changes are contained to two subroutines within the architext_query.pl library file. The subroutines in question are 'MakeQuery' and 'MakeGather'.

For Unix platforms

The changes made to these routines invoke the search binaries using Perl's 'exec', which calls C's execvp(3), thus bypassing any shell processing of the command. By avoiding shell processing of the command, the security hole is closed and prevents any attacks using shell-based hacking.

Right mouse click on this link: security bug fix for UNIX, and save the file as: architext_query.pl

To apply the patch, simply replace the file architext_query.pl, which appears in the 'perllib' subdirectory of the EWS installation. Note that comments at the top of the file indicate which operating system it is intended for, either Unix platforms, or Windows NT platforms.

Finally, make sure that the ownership and permissions on the new version of architext_query.pl match those of the other EWS files in your installation.

For NT Platforms

It is not possible to use the same solution in the Windows NT implementation of Perl, so the patch for Windows NT takes a different approach, by removing any special characters from user submitted query string that could be used to cause the host machine to invoke an undesired command.

Right mouse click on this link: security bug fix for NT, and save the file as: architext_query.pl

To apply the patch, simply replace the file architext_query.pl, which appears in the 'perllib' subdirectory of the EWS installation. Note that comments at the top of the file indicate which operating system it is intended for, either Unix platforms, or Windows NT platforms.

Finally, make sure that the ownership and permissions on the new version of architext_query.pl match those of the other EWS files in your installation.

Source: excite.com