Date: Sun, 7 Oct 2001 15:46:40 -0500
From: "Geoff Hutchison" <email@example.com> | Block Address | Add
to Address Book
Subject: Re: Bug found in ht://Dig htsearch CGI
CC: firstname.lastname@example.org, "htdig3-dev" <htdig-
* Name: ht://Dig (htsearch CGI)
* Versions affected: 3.1.0b2 and more recent, including 3.1.5 and 3.2.0b3
* Vulnerability: (Potential remote exposure. Denial of Service.)
The htsearch CGI runs as both the CGI and as a command-line program.
The command-line program accepts the -c [filename] to read in an
alternate configuration file. On the other hand, no filtering is done
to stop the CGI program from taking command-line arguments, so a
remote user can force the CGI to stall until it times out (resulting
in a DOS) or read in a different configuration file.
For a remote exposure, a specified configuration file would need to
be readable via the webserver UID, e.g. via anonymous FTP with upload
enabled or samba world-readable log files are the possible targets)
to potentially retrieve files readable by the webserver UID.
* Potential exploit:
Upgrade to current prerelease versions of 3.1.6 or 3.2.0b4, or apply
Prerelease versions are available from
Fixed in our latest 7.2 errata for htdig.
Read ya, Phil