Search engine firm Excite this morning owned up to the discovery of a major security flaw in its Excite for Web Servers 1.1 (EWS) system, at the same time releasing a patch intended to remedy the problem.
The EWS system is available from Excite (XCIT) as unsupported software that Web site adminstrators can install on their sites to provide local search facilities. EWS has gained widespread acceptance due to its ease of installation and the powerful search facilities it provides, and is used on many large corporate sites. The security hole would allow a knowledgeable user to type a search query that included commands that would run on the server - effectively giving the world at large access to that server.
The Excite announcement was e-mailed directly to users early this morning, detailing the general nature of the flaw, along with details of how to obtain a fix from the Excite Web site. However, there is some consternation in the Web community over how long it has taken Excite to notify people of the problem. EWS 1.1 has been available since late 1996, and anyone inspecting the code supplied as part of the system could potentially have discovered the flaw.
Full details of the security flaw, how to exploit it, and some suggestions about how to fix it were posted on the well known hacking Web site rootshell.com on New Year's Day. Hackers were therefore potentially in possesion of a "golden key" to Web servers for two weeks before Excite notified users of the problem. The Web community has been astonished not by the fact that a security hole exists, but by the obvious nature of the glitch.
It isn't known if any sites have fallen prey to this but the potential exists that any site running EWS 1.1 may have been hacked "invisibly", with the hacker gaining the access to the system password file via the Excite flaw. They could then use informtion gained to remove traces of the attack, whilst retaining future access to the server.
As knowledge of the problem becomes more widespread it will be a race against time for sites to implement the fix and close the door to potential hackers. Already concern has been expressed over whether the fix provided by Excite is the best way of tackling the problem, and whether the method used may have security issues of its own.