Bug 152907

Summary: CAN-2005-0085 htdig cross-site scripting vulnerability
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: htdigAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bugzilla.redhat, jimpop, pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0085
Whiteboard: 1, 2, LEGACY, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-10 01:18:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:31:41 UTC 
Description:  An input validation vulnerability was reported in ht://dig. A
remote user can conduct cross-site scripting attacks.

SuSE reported that a cross-site scripting vulnerability was discovered by
Michael Krax. The 'config' parameter does not properly filter HTML code from
user-supplied input before displaying an error message containing the input. A
remote user can cause arbitrary scripting code to be executed by the target
user's browser. The code will originate from the site running the ht://dig
software and will run in the security context of that site. As a result, the
code will be able to access the target user's cookies (including authentication
cookies), if any, associated with the site, access data recently submitted by
the target user via web form to the site, or take actions on the site acting as
the target user.

A demonstration exploit URL is provided:

http://[target]/cgi-bin/htsearch?config=%3Cscript%3Ealert('foo ')%3C/script%3E
Impact:  A remote user can access the target user's cookies (including
authentication cookies), if any, associated with the site running the ht://dig
software, access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.


Info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0085
http://securitytracker.com/alerts/2005/Feb/1013078.html
http://www.gentoo.org/security/en/glsa/glsa-200502-16.xml



------- Additional Comments From marcdeslauriers 2005-02-13 15:57:30 ----

Red Hat's bug:
https://bugzilla.redhat.com/beta/show_bug.cgi?id=144263



------- Additional Comments From marcdeslauriers 2005-02-13 15:59:48 ----

also:
https://bugzilla.redhat.com/beta/show_bug.cgi?id=144127



------- Bug moved to this database by dkl 2005-03-30 18:31 -------

This bug previously known as bug 2431 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2431
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 Marc Deslauriers 2005-06-12 20:23:14 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

Changelog:
* Sun Jun 12 2005 Marc Deslauriers <marcdeslauriers>
3.2.0-2.011302.1.legacy
- - Added patch for CAN-2005-0085

rh73:
50a1bf96023c78bd3370356e54d3bb54ae6cac9c  htdig-3.2.0-2.011302.1.legacy.i386.rpm
b3f4f92f03fca35ce98f4d041d7397e1220cdac0  htdig-3.2.0-2.011302.1.legacy.src.rpm
543b8ac72415ebb6322393fb6f2edae3b62f34e4  htdig-web-3.2.0-2.011302.1.legacy.i386.rpm

7.3 Source:
http://www.infostrategique.com/linuxrpms/legacy/7.3/htdig-3.2.0-2.011302.1.legacy.src.rpm
7.3 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/7.3/

rh9:
270dd2e790d87833f294f591545969cbb73c6286  htdig-3.2.0-16.20021103.1.legacy.i386.rpm
65dd05c588784832e93b4e07ffd5664496dce400  htdig-3.2.0-16.20021103.1.legacy.src.rpm
128cf1059bebca1941bcc15bcfe1f2c108627054 
htdig-web-3.2.0-16.20021103.1.legacy.i386.rpm

9 Source:
http://www.infostrategique.com/linuxrpms/legacy/9/htdig-3.2.0-16.20021103.1.legacy.src.rpm
9 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/9/

fc1:
a0dbfa55dcf8b1a6a9976fdee01b5a6758dac8fd  htdig-3.2.0-19.20030601.1.legacy.i386.rpm
3b7a3dbf552121f5b58333181934d8935980b108  htdig-3.2.0-19.20030601.1.legacy.src.rpm
87752190150283fe4e6b9074f24b57ebe42e04f3 
htdig-web-3.2.0-19.20030601.1.legacy.i386.rpm

fc1 Source:
http://www.infostrategique.com/linuxrpms/legacy/1/htdig-3.2.0-19.20030601.1.legacy.src.rpm
fc1 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/1/

fc2:
504bc3685655521501c7d4b84f69698c5fa26c78  htdig-3.2.0b5-7.1.legacy.i386.rpm
08f0678f829ce66396341644a64aee13d2aed6ac  htdig-3.2.0b5-7.1.legacy.src.rpm
fb0fd606e2b1e80cb9e3d4a41b3e85a950475f40  htdig-web-3.2.0b5-7.1.legacy.i386.rpm

fc2 Source:
http://www.infostrategique.com/linuxrpms/legacy/2/htdig-3.2.0b5-7.1.legacy.src.rpm
fc2 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/2/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCrJmdLMAs/0C4zNoRAqYoAJsEmUaj2X62Po9Yp2eBIxZIQg2XmACeL+RT
iyFKKHdpypNJjWRMyFVkae4=
=Bluu
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2005-06-17 06:31:12 UTC 
For some reason, RHL73 and RHL9 patches don't include this segment, though it
exists in the code:

> --- htdig-3.2.0b6/htsearch/qtest.cc.unescaped_output  2005-01-25
12:51:00.000000000 +0100
> +++ htdig-3.2.0b6/htsearch/qtest.cc   2005-01-25 12:51:19.000000000 +0100
> @@ -132,8 +132,7 @@
>
>      if (access((char*)configFile, R_OK) < 0)
>      {
> -     reportError(form("Unable to find configuration file '%s'",
> -                      configFile.get()));
> +     reportError("Unable to find configuration file");
>      }
>
>      config->Read(configFile);

Otherwise the packages looked good, and I could give them a publish.. but unless
the above is intentional, could you redo RHL73 and RHL9?
Comment 3 Marc Deslauriers 2005-11-21 12:02:36 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for rh73 and rh9 to QA:

Changelog:
* Sun Nov 20 2005 Marc Deslauriers <marcdeslauriers>
3.2.0-16.20021103.2.legacy
- - Added missing section back into CAN-2005-0085 patch

* Sun Jun 12 2005 Marc Deslauriers <marcdeslauriers>
3.2.0-16.20021103.1.legacy
- - Added patch for CAN-2005-0085

rh73:
d6eafe4aaa8ea48811b986642e148269d81b3967  htdig-3.2.0-2.011302.2.legacy.i386.rpm
0c55c7d2f598045758a567ffafb6a64e8716ed3f  htdig-3.2.0-2.011302.2.legacy.src.rpm
6a6433c8dce0e0960a8d7bfcbb29cc9ec811ffbf  htdig-web-3.2.0-2.011302.2.legacy.i386.rpm

7.3 Source:
http://www.infostrategique.com/linuxrpms/legacy/7.3/htdig-3.2.0-2.011302.2.legacy.src.rpm
7.3 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/7.3/

rh9:
038e0d96baa67caf32b257fdf2c9edac98e9c024  htdig-3.2.0-16.20021103.2.legacy.i386.rpm
c1587680614b2249e5b29f5994edd378edd85904  htdig-3.2.0-16.20021103.2.legacy.src.rpm
e20a110a211a2489bee3738d61851f980cbdecc8 
htdig-web-3.2.0-16.20021103.2.legacy.i386.rpm

9 Source:
http://www.infostrategique.com/linuxrpms/legacy/9/htdig-3.2.0-16.20021103.2.legacy.src.rpm
9 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/9/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDgbhRLMAs/0C4zNoRAnKhAJoDt2lxvRNmIJ0HTLCHL4aKiI0fYgCdGid9
IdS4UQUNDWRe09XGhSuwm80=
=2C7O
-----END PGP SIGNATURE-----
Comment 4 Pekka Savola 2005-11-21 12:52:49 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patch corresponds to RHEL
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
0c55c7d2f598045758a567ffafb6a64e8716ed3f  htdig-3.2.0-2.011302.2.legacy.src.rpm
c1587680614b2249e5b29f5994edd378edd85904  htdig-3.2.0-16.20021103.2.legacy.src.rpm
3b7a3dbf552121f5b58333181934d8935980b108  htdig-3.2.0-19.20030601.1.legacy.src.rpm
08f0678f829ce66396341644a64aee13d2aed6ac  htdig-3.2.0b5-7.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDgcO6GHbTkzxSL7QRAsIGAJ9H7V25wBuBtEHTjWq/uiYq9SRH2wCg0+qu
L3nmERn5lXHoordpmC8+Hkk=
=aSPB
-----END PGP SIGNATURE-----
Comment 5 Marc Deslauriers 2005-11-25 04:34:01 UTC 
packages were pushed to updates-testing.
Comment 6 Jim Popovitch 2005-12-05 02:38:50 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RH73

Works as desired.  Tested for vulnerability and could not reproduce.

9f2c2108c62a38698946a3d054a02318115575db  htdig-3.2.0-2.011302.3.legacy.i386.rpm

NOTE: I don't see a reference to this rpm in the other comments, I'm not 100%
sure of it's source.
Can someone confirm this sha1sum and identify the source of the build.  Tia.

- -Jim P.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDk6jCCgSTzgd8+fwRAutyAJ41gk9PfVn2SpG7Z+tLZL5pnrDiYQCgjl7U
thYYQQLnLwzszMMkKl3BE58=
=nlly
-----END PGP SIGNATURE-----
Comment 7 Pekka Savola 2005-12-05 05:41:10 UTC 
The rpms have been rebuilt, so earlier checksums are no longer valid.  It's
enough at this poin to verify the GPG signature on the file.

Thanks for the verify, timeouts in 4 weeks.
Comment 8 Pekka Savola 2006-01-03 05:41:53 UTC 
Timeout over.
Comment 9 Marc Deslauriers 2006-01-10 01:18:34 UTC 
Packages were released to updates.