Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


CERT* Vendor-Initiated Bulletin VB-97.13
November 14, 1997

Topic:	Vulnerability in GlimpseHTTP and WebGlimpse CGI scripts
Source:  Project FUSE, University of Arizona
Related CERT documents:

To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Project FUSE,
University of Arizona. Project FUSE urges you to act on this information as
soon as possible. Project FUSE contact information is included in the
forwarded text below; please contact them if you have any questions or need
further information.

Please note that there is related information about these vulnerabilities in
AUSCERT Advisory AA-97.28, "Vulnerability in GlimpseHTTP and WebGlimpse
cgi-bin Packages", available from

=======================FORWARDED TEXT STARTS HERE============================

Problem: Vulnerability in GlimpseHTTP 2.0 and
         WebGlimpse versions prior to 1.5

I. Description

A vulnerability exists in the GlimpseHTTP web search package.  A related
vulnerability exists in the WebGlimpse web search package prior to version
1.5 (the latest version).  These packages are popular collections of tools
that provide easy-to-use interface to Glimpse, an indexing and query
system, to provide a search facility on web sites.

Due to insufficient argument checking by some of GlimpseHTTP and older
WebGlimpse routines, intruders may be able to force it to execute arbitrary
commands with the privileges of the httpd process.  Attacks against
GlimpseHTTP using these vulnerabilities have been reported.

Similar attacks have been reported on other scripts, and it is a good idea
now to check all your CGI scripts.  For more information see

To check whether exploitation of this vulnerability has been attempted at
your site, search for unusual accesses to aglimpse in your access logs.
An example of how to do this is:

# egrep 'aglimpse.*IFS' {WWW_HOME}/logs/access_log

Where {WWW_HOME} is the base directory for your web server.

If this command returns anything, further investigation is necessary.

Up-to-date information regarding these vulnerabilities can be obtained from
the authors of GlimpseHTTP and WebGlimpse at

Although the attacks against GlimpseHTTP have focused on version 2.0,
similar attacks may be possible on earlier versions.

II. Impact

Remote users may be able to execute arbitrary commands with the privileges
of the httpd process which answers HTTP requests.  This may be used to
compromise the http server and under certain configurations gain privileged
access.  Current attacks concentrated on obtaining the /etc/passwd file on
systems that do not provide shadow passwords.

III. Solution

The authors have decided to stop supporting GlimpseHTTP, and instead have
released a new version (1.5) of WebGlimpse, which has most of the features
of GlimpseHTTP and many more.

Users of any version GlimpseHTTP are encouraged to upgrade to the new
WebGlimpse.  Users of earlier versions of WebGlimpse are also encouraged to
upgrade, as version 1.5 is more robust and more secure.  WebGlimpse can be
found at

For sites that cannot immediately install the current version of
WebGlimpse, it is recommended that you disable the version of GlimpseHTTP
or WebGlimpse you are using and use another script to interface to Glimpse.

Questions to the authors can be directed to This email address is being protected from spambots. You need JavaScript enabled to view it.

========================FORWARDED TEXT ENDS HERE=============================

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST). See

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.

Location of CERT PGP key

CERT Contact Information
- - ------------------------
Email    This email address is being protected from spambots. You need JavaScript enabled to view it.

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

CERT publications, information about FIRST representatives, and other
security-related information are available from

CERT advisories and bulletins are also posted on the USENET newsgroup

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        This email address is being protected from spambots. You need JavaScript enabled to view it.
In the subject line, type
        SUBSCRIBE  your-email-address

* Registered U.S. Patent and Trademark Office.

The CERT Coordination Center is part of the Software Engineering
Institute (SEI). The SEI is sponsored by the U. S. Department of Defense.

This file:

Version: 2.6.2


Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology