SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ht//Dig Vendors:   ht//Dig Group
(Vendor Issues Fix) Re: ht://Dig Search Engine Software May Allow Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1004748
SecurityTracker URL:  http://securitytracker.com/id/1004748
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 11 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   An input validation vulnerability was reported in the ht://Dig search engine software. A remote user may be able to conduct cross-site scripting attacks against users of web sites that have deployed ht://Dig.

According to the report, a remote user can create the following type of URL that will, when loaded by the target user, cause arbitrary scripting code to be displayed by the target user's browser:

http://[host]/cgi-bin/htsearch.cgi?words=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

The code will appear to originate from the host running ht://Dig and will run in the security context of that host. As a result, the code may be able to access the target user's cookies associated with that site (if any), access content submitted to that site by the target user via a web form, or take actions on that site acting as the target user.

Other users report recent versions of the product may not be vulnerable. One user indicates that 3.2.0b3 appears to be vulnerable and another user indicates that 3.2.0b4-011302 (from a Red Hat distribution) is not vulnerable.

Impact:   For any site running ht://Dig, a remote user may be able to access the target user's cookies associated with that site (if any), access content submitted to that site by the target user via a web form, or take actions on that site acting as the target user.
Solution:   The vendor has issued a fix. The following versions have default templates that properly-HTML encoded "script" tags:

- 3.2.0b2, 3.2.0b3 and snapshots of 3.2.0b4
- 3.1.5 and 3.1.6
- (only 3.2.0b4 and 3.1.6 solve other, non-XSS issues)

These are available at:

http://www.htdig.org/where.html

Vendor URL:  www.htdig.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 1 2002 ht://Dig Search Engine Software May Allow Cross-Site Scripting Attacks



 Source Message Contents

Subject:  Re: XSS in ht://Dig



In-Reply-To: <Pine.LNX.4.44.0206281905330.9527-100000@ticalc.ticalc.org>
>PW> My example URL suggests that version 3.1.5 is also
immune, though 3.1.5
>PW> has other issues that 3.1.6 resolves -- see
>PW>    http://online.securityfocus.com/bid/3410 and
>PW>    http://www.htdig.org/index.html
>
>Version 3.2.0b3 seems to be vunerable.

Sorry for the somewhat slow response, I'm not normally subscribed to
BugTraq. Two previous attempts to send this (July 1 and July 5th) did not
go through for whatever reason.

As far as XSS goes, the following versions have default templates that are
immune to such things--you'd get properly-HTML encoded "script" tags.

3.2.0b2, 3.2.0b3 and snapshots of 3.2.0b4
3.1.5 and 3.1.6
(only 3.2.0b4 and 3.1.6 solve other, non-XSS issues)

Now, we'll certainly send out an announcement reminding people that they
should be using recent versions of ht://Dig and that they should make sure
their templates use the $&(VAR) form that HTML-escapes output. And it'll
be a good idea to update the documentation to make this clear.

But...

I'll point out that ht://Dig has its own mailing list. If there is a
vulnerability that has *not* been addressed in current versions, please
let us know, give us a specific example and we'll post to BugTraq. Further
discussion is probably best left on the
htdig-discuss@lists.sourceforge.net or htdig-dev mailing lists or via
private e-mail.

Regards,
--
-Geoff Hutchison
Williams Students Online
http://wso.williams.edu/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC