bug in search engine

bug in search engine

[Aldy Hernandez]

Try to search for... "foo --bar" on either the GCC or the GCC patches
search engine.

Re: bug in search engine

[Paolo Carlini]

Aldy Hernandez wrote:

>Try to search for... "foo --bar" on either the GCC or the GCC patches
>search engine.
>
Funny!

Paolo.

Re: bug in search engine

[Gerald Pfeifer]

On Thu, 9 Oct 2003, Paolo Carlini wrote:
>> Try to search for... "foo --bar" on either the GCC or the GCC patches
>> search engine.
> Funny!

It looks funny, but it might well be exploitable (so it would have been
better not to post this to the widely spread gcc list).

I have thus completely disabled the whole search engine for now¹ until
H-P or someone else has had a closer look.

Gerald

¹ chmod a-x htsearch

Re: bug in search engine

[Aldy Hernandez]

> It looks funny, but it might well be exploitable (so it would have been
> better not to post this to the widely spread gcc list).

Yeah, I realized that 5 seconds after I hit send.  Sorry about that.

> I have thus completely disabled the whole search engine for now¹ until
> H-P or someone else has had a closer look.

Thanks.

Aldy

Re: bug in search engine

[Aldy Hernandez]

"foo --bar" is still not working.  It searches for "foo bar".

The obvious security hole is gone though.

Re: bug in search engine

[Hans-Peter Nilsson]

On Thu, 9 Oct 2003, Aldy Hernandez wrote:

> "foo --bar" is still not working.  It searches for "foo bar".

I think you misunderstand the htdig syntax.  It's not supposed
to search for "foo and --bar" or "foo not bar" by that.

> The obvious security hole is gone though.

There likely never was one, just a stupid bug.

brgds, H-P

Re: bug in search engine

[Christopher Faylor]

On Thu, Oct 09, 2003 at 06:18:43PM -0400, Hans-Peter Nilsson wrote:
>On Thu, 9 Oct 2003, Christopher Faylor wrote:
>> On Thu, Oct 09, 2003 at 05:54:53PM -0400, Hans-Peter Nilsson wrote:
>> >The interesting question is why the apache at bitrange.com
>> >(1.3.27) does not pass argv and why it does on gcc/sourceware
>> >(2.0.40).  What confparam is different between my apache and
>> >yours?
>>
>> It has to do with how the web page is constructed.
>>
>> <form method="get" action="/cgi-bin/htsearch">
>> </form>
>>
>> vs. this:
>>
>> <form method="post" action="/cgi-bin/htsearch">
>> </form>
>
>The former can be on *any web page or file:///*.  Evildoer
>just adds gcc.gnu.org before the /cgi-bin.

I suppose that in all of the discussion about "confparam" I missed this
simple point.

Re: bug in search engine

[Hans-Peter Nilsson]

On Thu, 9 Oct 2003, Christopher Faylor wrote:
> On Thu, Oct 09, 2003 at 05:54:53PM -0400, Hans-Peter Nilsson wrote:
> >The interesting question is why the apache at bitrange.com
> >(1.3.27) does not pass argv and why it does on gcc/sourceware
> >(2.0.40).  What confparam is different between my apache and
> >yours?
>
> It has to do with how the web page is constructed.
>
> <form method="get" action="/cgi-bin/htsearch">
> </form>
>
> vs. this:
>
> <form method="post" action="/cgi-bin/htsearch">
> </form>

The former can be on *any web page or file:///*.  Evildoer
just adds gcc.gnu.org before the /cgi-bin.

> >Sorry, but that's unimportant and beside the point, as Gerald
> >pointed out.
>
> Can you explain how?  method="post" tells a web server not to pass
> things on the command line which seems to be precisely the point.  I
> don't understand why you think fixing this would not solve the problem.
> This isn't a server configury thing.  It's basic html.

If you have control over all html everywhere, yes, but we don't.

Which puts the focus on the apache conf.

brgds, H-P

Re: bug in search engine

[Christopher Faylor]

On Thu, Oct 09, 2003 at 05:54:53PM -0400, Hans-Peter Nilsson wrote:
>The interesting question is why the apache at bitrange.com
>(1.3.27) does not pass argv and why it does on gcc/sourceware
>(2.0.40).  What confparam is different between my apache and
>yours?

It has to do with how the web page is constructed.

<form method="get" action="/cgi-bin/htsearch"> 
</form> 

vs. this:

<form method="post" action="/cgi-bin/htsearch"> 
</form> 


>> >Method="post", maybe?  If so, I can fix this easily.
>>
>> That was it.  I'm changing all of the search options to use 'method="post"'.
>> That seems to work correctly.
>
>Sorry, but that's unimportant and beside the point, as Gerald
>pointed out.

Can you explain how?  method="post" tells a web server not to pass
things on the command line which seems to be precisely the point.  I
don't understand why you think fixing this would not solve the problem.
This isn't a server configury thing.  It's basic html.

cgf

Re: bug in search engine

[Hans-Peter Nilsson]

On Thu, 9 Oct 2003, Christopher Faylor wrote:
> On Thu, Oct 09, 2003 at 04:49:47PM -0400, Christopher Faylor wrote:
> >On Thu, Oct 09, 2003 at 04:37:19PM -0400, Hans-Peter Nilsson wrote:
> >>Not needed.  Anyone: Is it an apache configury thing to give
> >>cgi:s the args in argv as well as in QUERY_STRING with method
> >>GET?  It happens on gcc.gnu.org, but not where I tested first.
> >>(A STFW wasn't conclusive.)
> >
> >Isn't that at the discretion of the form that is used to invoke the cgi?

Not really.

The interesting question is why the apache at bitrange.com
(1.3.27) does not pass argv and why it does on gcc/sourceware
(2.0.40).  What confparam is different between my apache and
yours?

> >Method="post", maybe?  If so, I can fix this easily.
>
> That was it.  I'm changing all of the search options to use 'method="post"'.
> That seems to work correctly.

Sorry, but that's unimportant and beside the point, as Gerald
pointed out.

> I've turned htsearch back on again.

Please turn it off again.

brgds, H-P

Re: bug in search engine

[Christopher Faylor]

On Thu, Oct 09, 2003 at 11:22:32PM +0200, Gerald Pfeifer wrote:
>On Thu, 9 Oct 2003, Christopher Faylor wrote:
>>> Isn't that at the discretion of the form that is used to invoke the cgi?
>>> Method="post", maybe?  If so, I can fix this easily.
>> That was it.  I'm changing all of the search options to use 'method="post"'.
>> That seems to work correctly.
>
>Nice detective work, thanks!
>
>> I've turned htsearch back on again.
>
>Security-wise this may be premature (if, and only if the problems is
>exploitable): someone else could craft a form invoking our cgi-bin in
>the original "bad" way -- and given the problem was mentioned on the
>public gcc list I'd say there is a non-zero chance for someone trying.
>
>Or did I miss anyhing?

The problem is fixed by using the post method.  I thought that I'd have
that fixed in all of the myriad places that this showed up but it is
taking *forever*.  So, I've turned it off again until this is finished.

cgf

Re: bug in search engine

[Gerald Pfeifer]

On Thu, 9 Oct 2003, Christopher Faylor wrote:
>> Isn't that at the discretion of the form that is used to invoke the cgi?
>> Method="post", maybe?  If so, I can fix this easily.
> That was it.  I'm changing all of the search options to use 'method="post"'.
> That seems to work correctly.

Nice detective work, thanks!

> I've turned htsearch back on again.

Security-wise this may be premature (if, and only if the problems is
exploitable): someone else could craft a form invoking our cgi-bin in
the original "bad" way -- and given the problem was mentioned on the
public gcc list I'd say there is a non-zero chance for someone trying.

Or did I miss anyhing?

Gerald
-- 
Gerald Pfeifer (Jerry)   gerald@pfeifer.com   http://www.pfeifer.com/gerald/

Re: bug in search engine

[Christopher Faylor]

On Thu, Oct 09, 2003 at 04:49:47PM -0400, Christopher Faylor wrote:
>On Thu, Oct 09, 2003 at 04:37:19PM -0400, Hans-Peter Nilsson wrote:
>>On Thu, 9 Oct 2003, Hans-Peter Nilsson wrote:
>>> I have trouble understanding why getopt can get hold of that
>>> "--bar".  I can't repeat it on my own; the query with method GET
>>> ends up as it should in QUERY_STRING with argc 0 and argv empty.
>>>
>>> Chris, can I have access to the web logs, please?  (They used to
>>> be accessible, FWIW.)
>>
>>Not needed.  Anyone: Is it an apache configury thing to give
>>cgi:s the args in argv as well as in QUERY_STRING with method
>>GET?  It happens on gcc.gnu.org, but not where I tested first.
>>(A STFW wasn't conclusive.)
>
>Isn't that at the discretion of the form that is used to invoke the cgi?
>Method="post", maybe?  If so, I can fix this easily.

That was it.  I'm changing all of the search options to use 'method="post"'.
That seems to work correctly.

I've turned htsearch back on again.

cgf

Re: bug in search engine

[Christopher Faylor]

On Thu, Oct 09, 2003 at 04:37:19PM -0400, Hans-Peter Nilsson wrote:
>On Thu, 9 Oct 2003, Hans-Peter Nilsson wrote:
>> I have trouble understanding why getopt can get hold of that
>> "--bar".  I can't repeat it on my own; the query with method GET
>> ends up as it should in QUERY_STRING with argc 0 and argv empty.
>>
>> Chris, can I have access to the web logs, please?  (They used to
>> be accessible, FWIW.)
>
>Not needed.  Anyone: Is it an apache configury thing to give
>cgi:s the args in argv as well as in QUERY_STRING with method
>GET?  It happens on gcc.gnu.org, but not where I tested first.
>(A STFW wasn't conclusive.)

Isn't that at the discretion of the form that is used to invoke the cgi?
Method="post", maybe?  If so, I can fix this easily.

cgf

Re: bug in search engine

[Hans-Peter Nilsson]

On Thu, 9 Oct 2003, Hans-Peter Nilsson wrote:
> I have trouble understanding why getopt can get hold of that
> "--bar".  I can't repeat it on my own; the query with method GET
> ends up as it should in QUERY_STRING with argc 0 and argv empty.
>
> Chris, can I have access to the web logs, please?  (They used to
> be accessible, FWIW.)

Not needed.  Anyone: Is it an apache configury thing to give
cgi:s the args in argv as well as in QUERY_STRING with method
GET?  It happens on gcc.gnu.org, but not where I tested first.
(A STFW wasn't conclusive.)

If so, I suggest shutting that option off and adding a bit
warning in httpd.conf (or whereever).

I'll fix htdig independently of this.

brgds, H-P

Re: bug in search engine

[Christopher Faylor]

On Thu, Oct 09, 2003 at 04:21:46PM -0400, Hans-Peter Nilsson wrote:
>On Thu, 9 Oct 2003, Gerald Pfeifer wrote:
>> On Thu, 9 Oct 2003, Hans-Peter Nilsson wrote:
>> > cgf or Gerald, I suggest one of you chmod -x the sourceware
>> > htsearch too.  I'm not root.  I can't do it assuming it's the
>> > one in /www/cgi-bin.
>>
>> Given that you're the local htdig expert, I followed your advice:
>
>Thanks, but please don't call me htdig expert to my face. :-)
>
>I have trouble understanding why getopt can get hold of that
>"--bar".  I can't repeat it on my own; the query with method GET
>ends up as it should in QUERY_STRING with argc 0 and argv empty.
>
>Chris, can I have access to the web logs, please?  (They used to
>be accessible, FWIW.)

Grrr...  Stupid Red Hat up2date.  It keeps setting the permission
on the /www/logs directory.  It's fixed now.

Please let me know if I can do anything else to help.

cgf

Re: bug in search engine

[Hans-Peter Nilsson]

On Thu, 9 Oct 2003, Gerald Pfeifer wrote:
> On Thu, 9 Oct 2003, Hans-Peter Nilsson wrote:
> > cgf or Gerald, I suggest one of you chmod -x the sourceware
> > htsearch too.  I'm not root.  I can't do it assuming it's the
> > one in /www/cgi-bin.
>
> Given that you're the local htdig expert, I followed your advice:

Thanks, but please don't call me htdig expert to my face. :-)

I have trouble understanding why getopt can get hold of that
"--bar".  I can't repeat it on my own; the query with method GET
ends up as it should in QUERY_STRING with argc 0 and argv empty.

Chris, can I have access to the web logs, please?  (They used to
be accessible, FWIW.)

brgds, H-P