Excite Search Software Bug Found

Excite Search Software Bug Found

From The Search Engine Report
Feb. 3, 1998

A security bug was found in the Excite search software that is used by many webmasters to index their web sites. Those running Excite For Web Servers 1.1 should download a free patch to correct it. The bug affects both Unix and Windows NT operating systems. A new bug-free version 1.1.1 is also now available for Unix and soon to be released for Windows NT.

The bug does not affect the Excite web site. Visiting the site or doing searches does not cause a security problem for users. This is an issue only for webmasters running EWS 1.1. Version 1.0 is unaffected.

The bug was first reported on BugTraq in December, in a message that was also copied to an Excite administrative address. The message was overlooked, causing the company to scramble when it was alerted to the bug on Jan. 12 by Wired News.

Excite readily admitted to being embarrassed that the message slipped through the cracks and pledged that such a thing wouldn't happen again.

"That was definitely something we have dealt with in a significant fashion," said product manager Kris Carpenter. "We're going to reduce the complexity of communicating with us and make it absolutely clear, 'This is how to reach us.'"

The bug allows those knowledgeable about system administration to execute commands and read files via information relayed through the search box, but only on systems with lax security.

"It would require that the webmaster left the server open more than normal," said Carpenter. "The extent of the possible impact is in most cases going to be minimal," though she added, "We definitely are very concerned the impact it could have had on the web community."

The person who discovered the bug, Marc Merlin, agreed that the impact would be limited on a secure system, but he noted that many systems are left unprotected.

"It is true that the impact for very well maintained systems is minimal, but there are too many Unix machines that are vulnerable one way or another," Merlin said.

Excite gets no income from the software. It has been always been free, though a few support contracts were once sold. These expired at the end of 1996. Since then, it has been offered completely unsupported, as a benefit to webmasters.

Excite Security Notice
http://www.excite.com/navigate/download.html

The patch for version 1.1, the patched full-version 1.1.1, FAQs and information from Excite about the bug.

Excite Bug Discovered
Webpedia, Jan. 1998
http://www.webpedia.com/features/reports/ews/

More technical details about the bug, and how to patch it.

CGI security hole in EWS (Excite for Web Servers)
BugTraq Archives, Dec. 1997
http://www.netspace.org/cgi-bin/wa?A1=ind9712c&L=bugtraq#7

The original bug report, with technical details

Excite Moves to Patch Search Software
Wired, Jan. 14, 1998
http://www.wired.com/news/news/technology/story/9649.html

Excite bug opens Unix servers
News.com, Jan. 13, 1998
http://www.news.com/News/Item/0,4,18039,00.html

Excite Search Bug Threatens Web Sites
Wired, Jan. 12, 1998
http://www.wired.com/news/news/technology/story/9618.html