SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ht//Dig Vendors:   ht//Dig Group
(Gentoo Issues Fix) ht://dig Input Validation Hole in 'config' Parameter Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013175
SecurityTracker URL:  http://securitytracker.com/id/1013175
CVE Reference:   CVE-2005-0085   (Links to External Site)
Date:  Feb 14 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   An input validation vulnerability was reported in ht://dig. A remote user can conduct cross-site scripting attacks.

SuSE reported that a cross-site scripting vulnerability was discovered by Michael Krax. The 'config' parameter does not properly filter HTML code from user-supplied input before displaying an error message containing the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ht://dig software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/cgi-bin/htsearch?config=%3Cscript%3Ealert('foo')%3C/script%3E

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ht://dig software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   Gentoo has released a fix and indicates that all ht://Dig users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-misc/htdig-3.1.6-r7"

Vendor URL:  www.htdig.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Gentoo)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 3 2005 ht://dig Input Validation Hole in 'config' Parameter Permits Cross-Site Scripting Attacks



 Source Message Contents

Subject:  [gentoo-announce] [ GLSA 200502-16 ] ht://Dig: Cross-site scripting vulnerability



--V0207lvV8h4k8FAm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200502-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: ht://Dig: Cross-site scripting vulnerability
      Date: February 13, 2005
      Bugs: #80602
        ID: 200502-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

ht://Dig is vulnerable to cross-site scripting attacks.

Background
==========

ht://Dig is an HTTP/HTML indexing and searching system.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /  Vulnerable  /                       Unaffected
    -------------------------------------------------------------------
  1  www-misc/htdig     < 3.1.6-r7                         >= 3.1.6-r7

Description
===========

Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks.

Impact
======

By sending a carefully crafted message, an attacker can inject and
execute script code in the victim's browser window. This allows to
modify the behaviour of ht://Dig, and/or leak session information such
as cookies to the attacker.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All ht://Dig users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-misc/htdig-3.1.6-r7"

References
==========

  [ 1 ] CAN-2005-0085
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0085
  [ 2 ] SecurityTracker #1013078
        http://securitytracker.com/alerts/2005/Feb/1013078.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200502-16.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

--V0207lvV8h4k8FAm
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCD79vRsm3eDkOu7kRAviDAJ9Twlu7DvMnQ/yaSXcxJhONy006UgCgigHD
tFmVXAlfyXhvyszdMLBF1Dg=
=ChiM
-----END PGP SIGNATURE-----

--V0207lvV8h4k8FAm--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC