Skip to main content.
home | support | download

Back to List Archive

Re: Swish-e CGI script security?

From: David Brooks <daveb(at)not-real.sucs.org>
Date: Thu May 18 2006 - 14:06:30 GMT
Hi,

> Which cgi script are you using?  Which OS?

I'm running Debian Sarge. I installed swish-e with apt and found the 
script in /usr/share/doc/swish-e/examples/swish.cgi

The comment at the top says "swish.cgi $Revision: 1.20 $ Copyright (C) 
2001 Bill Moseley swishscript@hank.org"

And since that seems to be you, I guess I've come to the right place :-)


> Post the logs.

OK. I'm finding the apache error log very puzzling. I'm used to seeing 
nicely timestamped entries, but I assume it will just logs whatever gets 
spat out by CGIs because there is no timestamp for these entries. 
Because of this, I could be completely barking up the wrong tree - the 
Perl errors might have happened some time earlier and be unconnected... 
although I don't think I've seen them occur before.

/var/www/mysite/search.cgi aborted: Timed out
Use of uninitialized value in concatenation (.) or string at 
/usr/lib/swish-e/perl/SWISH/mysite.pm line 49.
Use of uninitialized value in concatenation (.) or string at 
/usr/lib/swish-e/perl/SWISH/mysite.pm line 282.
Use of uninitialized value in concatenation (.) or string at 
/usr/lib/swish-e/perl/SWISH/mysite.pm line 282.
Use of uninitialized value in concatenation (.) or string at 
/usr/lib/swish-e/perl/SWISH/mysite.pm line 282.
Use of uninitialized value in concatenation (.) or string at 
/usr/lib/swish-e/perl/SWISH/mysite.pm line 282.
Use of uninitialized value in concatenation (.) or string at 
/usr/lib/swish-e/perl/SWISH/mysite.pm line 282.
--18:58:48--  http://www.freewebs.com/carola/gif.txt
            => `gif.txt'
Resolving www.freewebs.com... 38.119.100.2
Connecting to www.freewebs.com[38.119.100.2]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17,325 [text/plain]

     0K .......... ......                                     100% 
74.60 KB/s

18:58:48 (74.60 KB/s) - `gif.txt' saved [17325/17325]

kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or 
kill -l [sigspec]
Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 at 
/usr/lib/perl/5.8/Socket.pm line 201.
join: too few non-option arguments
Try `join --help' for more information.

> Were they actually running code or just entering strings into the
> search box?  Anyone that runs a web server sees hack attempts often in
> the logs.  There's a difference between seeing the attempts and the
> attack actually working.  From your description, I suspect you are
> just seeing the logs.

Looks pretty bad to me, although for whatever reason it appears that the 
attack failed. I've been poring over logs, trying to figure out what 
happened for some time now.


> Obviously, the language has nothing to do with if it's secure or not.
> It's how it's written.

Of course. But if I'm familiar with the language that helps me rather a 
lot when it comes to looking at the code and seeing if it's sane. I 
assume this Perl CGI is sane based purely on the fact I got it out of 
debian stable.


I just realised those errors refer to a Perl file I had copied then 
edited to make the HTML output match my site... if you want me to send 
more logs and a copy of that file, I'd be happy to take it off list if 
its going to be disruptive. Also if you think this is something else 
I've goofed up and isn't Swish related, that's fair enough - thanks for 
your time all the same.

Regards,
DaveB
Received on Thu May 18 07:06:31 2006