Bugtraq mailing list archives
Re: Bug found in ht://Dig htsearch CGI
From: Geoff Hutchison <ghutchis () wso williams edu>
Date: Sun, 7 Oct 2001 15:46:40 -0500
* Name: ht://Dig (htsearch CGI) * Versions affected: 3.1.0b2 and more recent, including 3.1.5 and 3.2.0b3 * Vulnerability: (Potential remote exposure. Denial of Service.) * Details:The htsearch CGI runs as both the CGI and as a command-line program. The command-line program accepts the -c [filename] to read in an alternate configuration file. On the other hand, no filtering is done to stop the CGI program from taking command-line arguments, so a remote user can force the CGI to stall until it times out (resulting in a DOS) or read in a different configuration file.
For a remote exposure, a specified configuration file would need to be readable via the webserver UID, e.g. via anonymous FTP with upload enabled or samba world-readable log files are the possible targets) to potentially retrieve files readable by the webserver UID.
e.g. nothing_found_file: /path/to/the/file/we/steal * Potential exploit: http://your.host/cgi-bin/htsearch?-c/dev/zero http://your.host/cgi-bin/htsearch?-c/path/to/my.file * Fix:Upgrade to current prerelease versions of 3.1.6 or 3.2.0b4, or apply attached patches.
Prerelease versions are available from <http://www.htdig.org/files/snapshots/>
Attachment:
%htsearch-3.1.x.patch
Description:
Attachment:
htsearch-3.1.x.patch
Description:
Attachment:
%htsearch-3.2.x.patch
Description:
Attachment:
htsearch-3.2.x.patch
Description:
Current thread:
- Bug found at W3Mail Webmail Emanuel Almeida (Oct 06)
- Re: Bug found in ht://Dig htsearch CGI Geoff Hutchison (Oct 08)