SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   ht//Dig Vendors:   ht//Dig Group
ht://Dig Search Engine Software Has Remote Denial of Service and Local Information Disclosure Bugs in htsearch
SecurityTracker Alert ID:  1002525
SecurityTracker URL:  http://securitytracker.com/id/1002525
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 11 2001
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.1.0b2 and more recent, including 3.1.5 and 3.2.0b3
Description:   A vulnerability was reported in the ht://Dig htsearch search engine CGI software that allows remote users to conduct denial of service attacks against the search engine. It also users who can place a special control file on the system to retrieve files from the server.

It is reported that htsearch accepts a -c [filename] option to read in an alternate configuration file. A remote user can specify this command line argument to cause the CGI to stall until it times out or cause it to read in another configuration file.

If a local user places an alternate configuration file on the system, a remote user may then be able to remotely view files on the system that are readable by the web server.

The following type of URLs can be used to trigger this vulnerability:

http://[targethost]/cgi-bin/htsearch?-c/dev/zero
http://[targethost]/cgi-bin/htsearch?-c/path/to/my.file

Impact:   A remote user can cause a denial of service condition. If a local user can place an alternate configuration file on the system (via FTP or Samba or some other means not related to htsearch) and that configuration file is readable by the web server, then a remote user can view files on the system that are readable by the web server.
Solution:   Upgrade to current prerelease versions of 3.1.6 or 3.2.0b4 or apply the patches that are provided in the Source Message (the patches are Base64 encoded). Prerelease versions are reportedly available at:

http://www.htdig.org/files/snapshots/

Vendor URL:  www.htdig.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Conectiva Issues Fix) ht://Dig Search Engine Software Has Remote Denial of Service and Local Information Disclosure Bugs in htsearch
The vendor has released a fix.
(Caldera Issues OpenLinux Fix) ht://Dig Search Engine Software Has Remote Denial of Service and Local Information Disclosure Bugs in htsearch
The vendor has released a fix for OpenLinux.
(Debian Issues Fix) ht://Dig Search Engine Software Has Remote Denial of Service and Local Information Disclosure Bugs in htsearch
The vendor has released a fix.
(SuSE Issues Fix) ht://Dig Search Engine Software Has Remote Denial of Service and Local Information Disclosure Bugs in htsearch
The vendor has released a fix.
(Mandrake Issues Fix) ht://Dig Search Engine Software Has Remote Denial of Service and Local Information Disclosure Bugs in htsearch
The vendor has released a fix.
(Red Hat Issues Fix) ht://Dig Search Engine Software Has Remote Denial of Service and Local Information Disclosure Bugs in htsearch
The vendor has released a fix.
(FreeBSD Issues Fix) ht://Dig Search Engine Software Has Remote Denial of Service and Local Information Disclosure Bugs in htsearch
The vendor has released a fix.



 Source Message Contents

Subject:  Re: Bug found in ht://Dig htsearch CGI


--============_-1209633720==_============
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

* Name: ht://Dig (htsearch CGI)

* Versions affected: 3.1.0b2 and more recent, including 3.1.5 and 3.2.0b3

* Vulnerability:   (Potential remote exposure. Denial of Service.)

* Details:
The htsearch CGI runs as both the CGI and as a command-line program. 
The command-line program accepts the -c [filename] to read in an 
alternate configuration file. On the other hand, no filtering is done 
to stop the CGI program from taking command-line arguments, so a 
remote user can force the CGI to stall until it times out (resulting 
in a DOS) or read in a different configuration file.

For a remote exposure, a specified configuration file would need to 
be readable via the webserver UID, e.g. via anonymous FTP with upload 
enabled or samba world-readable log files are the possible targets) 
to potentially retrieve files readable by the webserver UID.
e.g.
nothing_found_file: /path/to/the/file/we/steal

* Potential exploit:
http://your.host/cgi-bin/htsearch?-c/dev/zero
http://your.host/cgi-bin/htsearch?-c/path/to/my.file

* Fix:
Upgrade to current prerelease versions of 3.1.6 or 3.2.0b4, or apply 
attached patches.

Prerelease versions are available from <http://www.htdig.org/files/snapshots/>
--============_-1209633720==_============
Content-Id: <a05101001b7e66a53830e@[129.105.9.182].0.0>
Content-Type: multipart/appledouble; boundary="============_-1209633720==_D============"

--============_-1209633720==_D============
Content-Transfer-Encoding: base64
Content-Type: application/applefile; name="%htsearch-3.1.x.patch"
Content-Disposition: attachment; filename="%htsearch-3.1.x.patch"

AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAADAAAAPgAAABQAAAAJAAAAUgAAACAA
AAAIAAAAcgAAABBodHNlYXJjaC0zLjEueC5wYXRjaFRFWFQAAAAAAAD/////AAAAAAAA
AAAAAAAAAAAAAAAAS20MAEttDABLbQwAA1M5+Q==
--============_-1209633720==_D============
Content-Type: application/octet-stream; name="htsearch-3.1.x.patch"
Content-Disposition: attachment; filename="htsearch-3.1.x.patch"
Content-Transfer-Encoding: base64

SW5kZXg6IGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNoLmNjCmRpZmYgLWMgaHRkaWcvaHRz
ZWFyY2gvaHRzZWFyY2guY2M6MS4yNC4yLjE0IGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNo
LmNjOjEuMjQuMi4xNQoqKiogaHRkaWcvaHRzZWFyY2gvaHRzZWFyY2guY2M6MS4yNC4y
LjE0CVdlZCBKdWwgMjUgMjE6MTg6MTEgMjAwMQotLS0gaHRkaWcvaHRzZWFyY2gvaHRz
ZWFyY2guY2MJU2F0IFNlcCAgOCAyMDoxMjo0MSAyMDAxCioqKioqKioqKioqKioqKgoq
KiogOCwxNCAqKioqCiAgLy8KICAvLwogICNpZiBSRUxFQVNFCiEgc3RhdGljIGNoYXIg
UkNTaWRbXSA9ICIkSWQ6IGh0c2VhcmNoLmNjLHYgMS4yNC4yLjE0IDIwMDEvMDcvMjYg
MDQ6MTg6MTEgZ3JkZXRpbCBFeHAgJCI7CiAgI2VuZGlmCiAgCiAgI2luY2x1ZGUgImh0
c2VhcmNoLmgiCi0tLSA4LDE0IC0tLS0KICAvLwogIC8vCiAgI2lmIFJFTEVBU0UKISBz
dGF0aWMgY2hhciBSQ1NpZFtdID0gIiRJZDogaHRzZWFyY2guY2MsdiAxLjI0LjIuMTUg
MjAwMS8wOS8wOSAwMzoxMjo0MSBnaHV0Y2hpcyBFeHAgJCI7CiAgI2VuZGlmCiAgCiAg
I2luY2x1ZGUgImh0c2VhcmNoLmgiCioqKioqKioqKioqKioqKgoqKiogNzgsODYgKioq
KgogICAJc3dpdGNoIChjKQogICAJewogICAJICAgIGNhc2UgJ2MnOgohICAJCWNvbmZp
Z0ZpbGUgPSBvcHRhcmc7CiEgICAgICAgICAgICAgICAgICBvdmVycmlkZV9jb25maWc9
MTsKISAgCQlicmVhazsKICAgCSAgICBjYXNlICd2JzoKICAgCQlkZWJ1ZysrOwogICAJ
CWJyZWFrOwotLS0gNzgsOTUgLS0tLQogICAJc3dpdGNoIChjKQogICAJewogICAJICAg
IGNhc2UgJ2MnOgohIAkgICAgICAvLyBUaGUgZGVmYXVsdCBpcyBvYnZpb3VzbHkgdG8g
ZG8gdGhpcyBzZWN1cmVseQohIAkgICAgICAvLyBidXQgaWYgcGVvcGxlIHdhbnQgdG8g
c2hvb3QgdGhlbXNlbHZlcyBpbiB0aGUgZm9vdC4uLgohICNpZm5kZWYgQUxMT1dfSU5T
RUNVUkVfQ0dJX0NPTkZJRwohIAkgICAgICBpZiAoIWdldGVudigiUkVRVUVTVF9NRVRI
T0QiKSkKISAJCXsKISAjZW5kaWYKISAJCSAgY29uZmlnRmlsZSA9IG9wdGFyZzsKISAJ
CSAgb3ZlcnJpZGVfY29uZmlnPTE7CiEgI2lmbmRlZiBBTExPV19JTlNFQ1VSRV9DR0lf
Q09ORklHCiEgCQl9CiEgI2VuZGlmCiEgCSAgICAgIGJyZWFrOwogICAJICAgIGNhc2Ug
J3YnOgogICAJCWRlYnVnKys7CiAgIAkJYnJlYWs7Cg==
--============_-1209633720==_D============--
--============_-1209633720==_============
Content-Id: <a05101001b7e66a53830e@[129.105.9.182].0.1>
Content-Type: multipart/appledouble; boundary="============_-1209633720==_D============"

--============_-1209633720==_D============
Content-Transfer-Encoding: base64
Content-Type: application/applefile; name="%htsearch-3.2.x.patch"
Content-Disposition: attachment; filename="%htsearch-3.2.x.patch"

AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAADAAAAPgAAABQAAAAJAAAAUgAAACAA
AAAIAAAAcgAAABBodHNlYXJjaC0zLjIueC5wYXRjaFRFWFQAAAAAAAD/////AAAAAAAA
AAAAAAAAAAAAAAAAS20MAEttDABLbQwAA1M5+Q==
--============_-1209633720==_D============
Content-Type: application/octet-stream; name="htsearch-3.2.x.patch"
Content-Disposition: attachment; filename="htsearch-3.2.x.patch"
Content-Transfer-Encoding: base64

SW5kZXg6IGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNoLmNjCmRpZmYgLWMgaHRkaWcvaHRz
ZWFyY2gvaHRzZWFyY2guY2M6MS41NC4yLjIxIGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNo
LmNjOjEuNTQuMi4yMgoqKiogaHRkaWcvaHRzZWFyY2gvaHRzZWFyY2guY2M6MS41NC4y
LjIxCVdlZCBKdWwgMTEgMTI6MzM6MjYgMjAwMQotLS0gaHRkaWcvaHRzZWFyY2gvaHRz
ZWFyY2guY2MJU2F0IFNlcCAgOCAyMDoyNDozNyAyMDAxCioqKioqKioqKioqKioqKgoq
KiogMTEsMTcgKioqKgogIC8vIG9yIHRoZSBHTlUgUHVibGljIExpY2Vuc2UgdmVyc2lv
biAyIG9yIGxhdGVyCiAgLy8gPGh0dHA6Ly93d3cuZ251Lm9yZy9jb3B5bGVmdC9ncGwu
aHRtbD4KICAvLwohIC8vICRJZDogaHRzZWFyY2guY2MsdiAxLjU0LjIuMjEgMjAwMS8w
Ny8xMSAxOTozMzoyNiBncmRldGlsIEV4cCAkCiAgLy8KICAKICAjaWZkZWYgSEFWRV9D
T05GSUdfSAotLS0gMTEsMTcgLS0tLQogIC8vIG9yIHRoZSBHTlUgUHVibGljIExpY2Vu
c2UgdmVyc2lvbiAyIG9yIGxhdGVyCiAgLy8gPGh0dHA6Ly93d3cuZ251Lm9yZy9jb3B5
bGVmdC9ncGwuaHRtbD4KICAvLwohIC8vICRJZDogaHRzZWFyY2guY2MsdiAxLjU0LjIu
MjIgMjAwMS8wOS8wOSAwMzoyNDozNyBnaHV0Y2hpcyBFeHAgJAogIC8vCiAgCiAgI2lm
ZGVmIEhBVkVfQ09ORklHX0gKKioqKioqKioqKioqKioqCioqKiA5MywxMDAgKioqKgog
ICAJc3dpdGNoIChjKQogICAJewogICAJICAgIGNhc2UgJ2MnOgohICAJCWNvbmZpZ0Zp
bGUgPSBvcHRhcmc7CiEgICAgICAgICAgICAgICAgICBvdmVycmlkZV9jb25maWc9MTsK
ICAgCQlicmVhazsKICAgCSAgICBjYXNlICd2JzoKICAgCQlkZWJ1ZysrOwotLS0gOTMs
MTA5IC0tLS0KICAgCXN3aXRjaCAoYykKICAgCXsKICAgCSAgICBjYXNlICdjJzoKISAg
ICAgICAgICAgICAgIC8vIFRoZSBkZWZhdWx0IGlzIG9idmlvdXNseSB0byBkbyB0aGlz
IHNlY3VyZWx5CiEgICAgICAgICAgICAgICAvLyBidXQgaWYgcGVvcGxlIHdhbnQgdG8g
c2hvb3QgdGhlbXNlbHZlcyBpbiB0aGUgZm9vdC4uLgohICNpZm5kZWYgQUxMT1dfSU5T
RUNVUkVfQ0dJX0NPTkZJRyAgCiEgICAgICAgICAgICAgICBpZiAoIWdldGVudigiUkVR
VUVTVF9NRVRIT0QiKSkKISAgICAgICAgICAgICAgICAgewohICNlbmRpZgohICAgICAg
ICAgICAgICAgICAgIGNvbmZpZ0ZpbGUgPSBvcHRhcmc7CiEgICAgICAgICAgICAgICAg
ICAgb3ZlcnJpZGVfY29uZmlnPTE7CiEgI2lmbmRlZiBBTExPV19JTlNFQ1VSRV9DR0lf
Q09ORklHCiEgICAgICAgICAgICAgICAgIH0KISAjZW5kaWYKICAgCQlicmVhazsKICAg
CSAgICBjYXNlICd2JzoKICAgCQlkZWJ1ZysrOwo=
--============_-1209633720==_D============--
--============_-1209633720==_============--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC