Bug 54518 - Vulnerability: (Potential remote exposure. Denial of Service.)
Vulnerability: (Potential remote exposure. Denial of Service.)
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: htdig (Show other bugs)
7.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Phil Knirsch
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-10-10 17:08 EDT by Piet E Barber
Modified: 2015-03-04 20:09 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-10-25 10:06:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Piet E Barber 2001-10-10 17:08:25 EDT
Date: Sun, 7 Oct 2001 15:46:40 -0500 
To: bugtraq@securityfocus.com 
From: "Geoff Hutchison" <ghutchis@wso.williams.edu> | Block Address  | Add 
to Address Book 
Subject: Re: Bug found in ht://Dig htsearch CGI 
CC: htdig-general@lists.sourceforge.net, "htdig3-dev" <htdig-
dev@lists.sourceforge.net> 
         
 


* Name: ht://Dig (htsearch CGI)

* Versions affected: 3.1.0b2 and more recent, including 3.1.5 and 3.2.0b3

* Vulnerability:   (Potential remote exposure. Denial of Service.)

* Details:
The htsearch CGI runs as both the CGI and as a command-line program. 
The command-line program accepts the -c [filename] to read in an 
alternate configuration file. On the other hand, no filtering is done 
to stop the CGI program from taking command-line arguments, so a 
remote user can force the CGI to stall until it times out (resulting 
in a DOS) or read in a different configuration file.

For a remote exposure, a specified configuration file would need to 
be readable via the webserver UID, e.g. via anonymous FTP with upload 
enabled or samba world-readable log files are the possible targets) 
to potentially retrieve files readable by the webserver UID.
e.g.
nothing_found_file: /path/to/the/file/we/steal

* Potential exploit:
http://your.host/cgi-bin/htsearch?-c/dev/zero
http://your.host/cgi-bin/htsearch?-c/path/to/my.file

* Fix:
Upgrade to current prerelease versions of 3.1.6 or 3.2.0b4, or apply 
attached patches.

Prerelease versions are available from 
<http://www.htdig.org/files/snapshots/>
Comment 1 Phil Knirsch 2002-01-24 10:44:35 EST
Fixed in our latest 7.2 errata for htdig.

See https://www.redhat.com/support/errata/RHSA-2001-139.html

Read ya, Phil

Note You need to log in before you can comment on or make changes to this bug.