Sphinx is an open-source search server commonly used as a backend for web applications.

Problem

In the default configuration, the Sphinx server listens on ports 9306/tcp and 9312/tcp on all network interfaces. Sphinx does not provide any authentication mechanisms. If a Sphinx server is openly accessible from the Internet, an attacker can take advantage of this to read, modify or delete any data stored in the Sphinx database.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

To check if a Sphinx server is openly accessible from the Internet, you can use 'netcat' as follows:

$ netcat 192.168.45.67 9306

If a connection to the Sphinx server was successfully established, it will return the version information:

2.2.11-id64-release (95ae9a)

Solution

• Do not expose your Sphinx server to the Internet!
• Restrict access to the Sphinx server to trusted systems, e. g. by blocking incoming connections from the Internet to ports 9306/tcp and 9312/tcp on the firewall.
• If both the Web and Sphinx servers are running on the same system, the Sphinx server should only listen on the localhost interface. To achieve this, change the following lines in the configuration file
  listen       = 9312
  listen       = 9306:mysql41
  to:
  listen       = localhost:9312
  listen       = localhost:9306:mysql41
• Keep your Sphinx installation up-to-date. Install available security updates asap.