[UNIX] Security Bug Found in ht://Dig htsearch CGI (DoS, File Exposure)

From: support@securiteam.com
Date: 10/16/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Security Bug Found in ht://Dig htsearch CGI (DoS, File Exposure)
Message-Id: <20011016170343.0FC5B138C1@mail.der-keiler.de>
Date: Tue, 16 Oct 2001 19:03:43 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Security Bug Found in ht://Dig htsearch CGI (DoS, File Exposure)
------------------------------------------------------------------------

SUMMARY

The <http://sourceforge.net/projects/htdig/> ht://Dig system is a
complete indexing and searching system for a domain or Intranet. A
security vulnerability in the product allows attackers to either cause the
program to stop responding, or to cause it to reveal the content of
sensitive files.

DETAILS

Vulnerable systems:
htDig version 3.1.0b2 and more recent, including 3.1.5 and 3.2.0b3

Immune systems:
htDig version 3.1.6 or 3.2.0b4

The htsearch CGI runs as both the CGI and as a command-line program. The
command-line program accepts the -c [filename] to read in an alternate
configuration file. On the other hand, no filtering is done to stop the
CGI program from taking command-line arguments, so a remote user can force
the CGI to stall until it times out (resulting in a DoS) or read in a
different configuration file.

For a remote exposure, a specified configuration file would need to be
readable via the web server UID, e.g. via anonymous FTP with upload
enabled or samba world-readable log files are the possible targets) to
potentially retrieve files readable by the web server UID.

For example:
nothing_found_file: /path/to/the/file/we/steal

Exploit:
http://your.host/cgi-bin/htsearch?-c/dev/zero
http://your.host/cgi-bin/htsearch?-c/path/to/my.file

Fix:
Upgrade to current prerelease versions of 3.1.6 or 3.2.0b4.

ADDITIONAL INFORMATION

The information has been provided by <mailto:ghutchis@wso.williams.edu>
Geoff Hutchison.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages