Skip to main content.
home | support | download

Back to List Archive

Re: swish.cgi

From: David L Norris <dave(at)>
Date: Mon Dec 03 2001 - 22:18:28 GMT
On Mon, 2001-12-03 at 15:44, Bill Moseley wrote:
> I'm thinking about spending a few hours (few, ya right)

I know this feeling...  

> I'm going to try to make the scripts work under windows, but I have yet to
> find someone to show me how to write a CGI script in a safe way under windows.

What issues concern you?  Maybe they'll jog some memories.

What bothers me immensely is that Microsoft IIS runs under the System
account.  System account has at least as many priviledges as
Administrator...  Making a security mistake in this environment is
devastating; the entire machine is easily compromised and/or destroyed. 
I don't believe it's possible to run IIS under another account, either. 
It's integrated into the system kernel somehow.

Most (recent) issues have been buffer overflows (CGIs, modules, etc
exposing buffer probs in IIS itself) allowing "root" compromises;
rootkits are popular payloads.

Shell exploits aren't much of an issue.  The NT/DOS shells are really
rather worthless.  My advice?  Allow only valid character ranges through
to the shell.  The main issues in my mind are overwriting files with >
and executing arbitrary commands with a |.  I don't believe there is a
fool-proof method of escaping characters.

> If any current users of swish.cgi have comments or suggestions, please let
> me know.  For example, currently, config is done right in the script, so
> maybe that should be put elsewhere?

I have a seperate, well commented config file for my PHP script.  I also
(try to) put procedural code into a seperate file to keep the interface
code clean.  I require these files into the interface script.  The
actual code in my SWS script is rather miserable at the moment.  But, I
think the principals are sound.  ;-)  I've simply not spent time fixing
it.  This will change.  I need to rewrite it for another project very

> I'd love to see someone do PHP or Python or JSP examples, too.

Examples of what in PHP?  Let me know and I'll have a look.

> Another thing I'd like to do (someday) is have the swish-e build process
> build a little server, so that after make install you can start the server
> which will listen to some port, and then all configuration, indexing, and
> searching can be done via a web interface.  This is similar to the way
> Inktomi works, I believe.

You know, that's not a bad idea.  Maybe the server could perform
searches and (optionally?) output XML which could be parsed into a web

 David Norris
  Dave's Web -
  Augury Net -
  ICQ Universal Internet Number - 412039
  E-Mail -

  "I once went to the store to buy a computer but
   the salesman tried to sell me windows instead..."
Received on Mon Dec 3 22:19:03 2001