Browse > Home / Enterprise, News, Open source / IBM OmniFind Vulnerabilities

IBM OmniFind Vulnerabilities

November 22, 2010

In Washington, DC last week I learned that IBM OmniFind 8.x and 9.x had some hitherto unknown vulnerabilities. Built on Lucene, the news is likely to cause indigestion among some of the open source champions pounding the polished halls in the corridors of power.

A bit of poking around yielded a link to the Fraunhofer Institute for Secure Information Technology. A bit of a surprise was my failure to locate information on the IBM Federal Web site, but that’s probably my failings as an open source researcher, not IBM’s.

The information at http://security.fatihkilic.de/advisory/fkilic-sa-2010-ibm-omnifind.txt is likely to be of interest to anyone running OmniFind’s recent release. The problems include cross site scripting, a method for showing cookies, and a trick to add an administrator to the account.

Some of the problems have been known since 2009. My view is that the sluggish response to the alleged vulnerabilities and the lack of easy to find information about the alleged issue indicates that search is not really a priority at IBM.

I also think the open source community has to do some poking around as well. And what about the azurini? Busy thinking about their grade point average for Sociology or Photography.

Stephen E Arnold, November 23, 2010

Freebie

Written by Stephen E. Arnold · Filed Under Enterprise, News, Open source 

Comments

6 Responses to “IBM OmniFind Vulnerabilities”

  1. Steve on November 22nd, 2010 1:46 am

    Hi,

    I don’t think a cross site scripting issue is any fault of Lucene itself. This is an issue with an application which uses a library, same could be true for an app telling you the weather. The implication that this might somehow reflect on all things using Lucene instead of all things from IBM is irresponsible. You should know better.

    -Steve

  2. Charlie on November 22nd, 2010 12:22 pm

    I’m afraid I agree with Steve, this has nothing to do with open source or Lucene, rather the layers built on top.

  3. Paul OHagan on November 25th, 2010 8:50 am

    Hi Stephen,

    The security concerns have all been addressed through product updates or workarounds. All concerned customers are aware of the corrections, including the original source Fraunhofer. If you would like specific details on each for posting, please let me know.

    Regards,
    Paul O’Hagan
    Offering Manager – IBM OmniFind
    pohagan@ca.ibm.com

  4. Stephen E. Arnold on November 25th, 2010 10:58 am

    Paul O’Hagan,

    Comments work. I don’t do much outreach, sitting here in Paris, thinking about French technology, the problems in Ireland, and dinner. Quite a surprise to me: The comments function does indeed work. It’s so easy even a goose like me can post.

    Stephen E Arnold, November 25, 2010

  5. Paul OHagan on November 26th, 2010 9:07 am

    Test without content in optional “Website” field.

  6. Paul OHagan on November 26th, 2010 9:11 am

    Hi Stephen – the issue appears to be with the optional “Website” field. If you enter a URL, your posting appears to be sent, but doesn’t show.

    Hope it helps, and enjoy your time in Paris. As a Canadian, I highly recommend a visit to the Vimy Ridge memorial, which is about an hour away if you take the TGV. If you have a car, a stop in Arras is a wonderful addition to a day trip.

  • Archives

  • Recent Posts

  • Meta