A serious root
level compromise on Zeus Technologies'
high-performance web-server was reported on the well-known Bugtraq security
mailing list earlier today. In its insecure state, the Zeus search engine, which
is transportable to virtual websites, can be used to request any file on the
webserver, including the password file which contains the "root" password. Once
you are logged into a UNIX server with the "root" password, you can do anything
you want to the server including assigning new passwords to users, stealing
confidential information, inserting viruses and trojan horses, and blowing away
entire filesystems. If you have a backend database on your webserver, this could
be a database administrator's worst nightmare.
security vulnerability will bring awareness to the user community that not all
search engines are safe. Careful planning and analysis should be done before
plopping any search engine on a webserver. Have your organization's security
team do an analysis on any search engine before dropping them on your webservers.
To plug the
vulnerability, organizations using the Zeus search engine should disable the
insecure version immediately. While disabling the search engine, restrict the
web UI to a select few hosts for added security. To their credit, Zeus responded
quickly (within three hours) with a fix and posted new binaries on their site.
Once secured, their attractive user interface will have administrators taking
a second look at it. We would have a much more secure internet if all vendors
responded to security holes as fast as Zeus.