Excite bug opens Unix servers

A flaw in some of Excite's (XCIT) search engine software that could potentially bring down an improperly configured Web site has been publicly available for almost a month, prompting questions about the company's responsiveness.

First posted on the BugTraq mailing list, the problem--as well as the code that makes the hack possible--has been discussed for almost a month and spread to other sites without Excite taking any action.

An email message was sent to the company on December 18, but no one checked the Excite for Web Servers queue over the holidays because EWS is free and unsupported, said Kris Carpenter, Excite product manager for search.

"We literally don't have support people actively monitoring that queue," she said. "We were not aware of the issue until yesterday."

But the person who originally alerted BugTraq said he copied his message to the Webmaster of Excite.com. "If they don't check that mailbox, it's pretty sad for them," said Marc Merlin, a consultant at Taos Mountain.

The bug only affects Excite for Web Servers 1.1 running on Unix systems. It does not affect NT servers, nor does it affect the Excite.com Web site, which uses a proprietary version of its search technology. Chances are slim that the bug will actually result in a hack because it can only affect improperly configured servers, Carpenter said.

Critics, however, were unsatisfied with Excite's explanation.

"It's just an excuse for them not to fix an obvious hole," said Elias Levy, a security consultant who moderates the BugTraq list.

Levy pointed out that the problem is common and estimated that it accounts for a large majority of all CGI (common gateway interface) security problems.

"It's the nature of languages people use to write CGI scripts, such as PERL," he said. "Some characters let you execute commands to a Unix shell, but a lot of shells have characters people forget to filter. Instead of filtering out 'bad' characters, it's good programming practice to filter in 'good' characters."

The glitch allows a Web surfer to type a specific string of code into an Excite search form, then enter a Unix command to access the server if access privileges to certain directories have been left open.

With the proper Unix command, a malicious surfer potentially could delete directories or bring down a server.

Excite has confirmed that a patch, posted to BugTraq and other Web sites, should fix the problem, but it is waiting for third-party confirmation from the CERT Coordination Center that the fix works before warning customers. An alert will go out to all Unix system administrators through CERT's mailing list.

Excite maintains a list of all customers who have downloaded the product, but Carpenter could not immediately tell how many people might be affected by the problem.

Free and unsupported since early 1997, EWS 1.1 does not contribute to the company's revenue stream, but company representatives denied that any possible delay in addressing the bug was due to the product's free and unsupported status.

"I think we feel comfortable with this," said Adam Hertz, Excite's vice president of development. "This won't change our support procedures."

Hertz pointed out that the company's mainstream products come with technical support.