Secure Your Search Engine

Event Summary

A serious root level compromise on Zeus Technologies' high-performance web-server was reported on the well-known Bugtraq security mailing list earlier today. In its insecure state, the Zeus search engine, which is transportable to virtual websites, can be used to request any file on the webserver, including the password file which contains the "root" password. Once you are logged into a UNIX server with the "root" password, you can do anything you want to the server including assigning new passwords to users, stealing confidential information, inserting viruses and trojan horses, and blowing away entire filesystems. If you have a backend database on your webserver, this could be a database administrator's worst nightmare.

Market Impact

Hopefully this security vulnerability will bring awareness to the user community that not all search engines are safe. Careful planning and analysis should be done before plopping any search engine on a webserver. Have your organization's security team do an analysis on any search engine before dropping them on your webservers.

User Recommendations

To plug the vulnerability, organizations using the Zeus search engine should disable the insecure version immediately. While disabling the search engine, restrict the web UI to a select few hosts for added security. To their credit, Zeus responded quickly (within three hours) with a fix and posted new binaries on their site. Once secured, their attractive user interface will have administrators taking a second look at it. We would have a much more secure internet if all vendors responded to security holes as fast as Zeus.


comments powered by Disqus