[22812] in bugtraq
Re: Bug found in ht://Dig htsearch CGI
daemon@ATHENA.MIT.EDU (Geoff Hutchison)
Tue Oct 9 01:01:08 2001
Mime-Version: 1.0
Message-Id: <a05101001b7e66a53830e@[129.105.9.182]>
In-Reply-To: <Pine.LNX.4.21.0110070231120.13943-100000@unreal.sekure.org>
Date: Sun, 7 Oct 2001 15:46:40 -0500
To: bugtraq@securityfocus.com
From: Geoff Hutchison <ghutchis@wso.williams.edu>
Cc: htdig-general@lists.sourceforge.net,
htdig3-dev <htdig-dev@lists.sourceforge.net>
Content-Type: multipart/mixed; boundary="============_-1209633720==_============"
--============_-1209633720==_============
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
* Name: ht://Dig (htsearch CGI)
* Versions affected: 3.1.0b2 and more recent, including 3.1.5 and 3.2.0b3
* Vulnerability: (Potential remote exposure. Denial of Service.)
* Details:
The htsearch CGI runs as both the CGI and as a command-line program.
The command-line program accepts the -c [filename] to read in an
alternate configuration file. On the other hand, no filtering is done
to stop the CGI program from taking command-line arguments, so a
remote user can force the CGI to stall until it times out (resulting
in a DOS) or read in a different configuration file.
For a remote exposure, a specified configuration file would need to
be readable via the webserver UID, e.g. via anonymous FTP with upload
enabled or samba world-readable log files are the possible targets)
to potentially retrieve files readable by the webserver UID.
e.g.
nothing_found_file: /path/to/the/file/we/steal
* Potential exploit:
http://your.host/cgi-bin/htsearch?-c/dev/zero
http://your.host/cgi-bin/htsearch?-c/path/to/my.file
* Fix:
Upgrade to current prerelease versions of 3.1.6 or 3.2.0b4, or apply
attached patches.
Prerelease versions are available from <http://www.htdig.org/files/snapshots/>
--============_-1209633720==_============
Content-Id: <a05101001b7e66a53830e@[129.105.9.182].0.0>
Content-Type: multipart/appledouble; boundary="============_-1209633720==_D============"
--============_-1209633720==_D============
Content-Transfer-Encoding: base64
Content-Type: application/applefile; name="%htsearch-3.1.x.patch"
Content-Disposition: attachment; filename="%htsearch-3.1.x.patch"
AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAADAAAAPgAAABQAAAAJAAAAUgAAACAA
AAAIAAAAcgAAABBodHNlYXJjaC0zLjEueC5wYXRjaFRFWFQAAAAAAAD/////AAAAAAAA
AAAAAAAAAAAAAAAAS20MAEttDABLbQwAA1M5+Q==
--============_-1209633720==_D============
Content-Type: application/octet-stream; name="htsearch-3.1.x.patch"
Content-Disposition: attachment; filename="htsearch-3.1.x.patch"
Content-Transfer-Encoding: base64
SW5kZXg6IGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNoLmNjCmRpZmYgLWMgaHRkaWcvaHRz
ZWFyY2gvaHRzZWFyY2guY2M6MS4yNC4yLjE0IGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNo
LmNjOjEuMjQuMi4xNQoqKiogaHRkaWcvaHRzZWFyY2gvaHRzZWFyY2guY2M6MS4yNC4y
LjE0CVdlZCBKdWwgMjUgMjE6MTg6MTEgMjAwMQotLS0gaHRkaWcvaHRzZWFyY2gvaHRz
ZWFyY2guY2MJU2F0IFNlcCAgOCAyMDoxMjo0MSAyMDAxCioqKioqKioqKioqKioqKgoq
KiogOCwxNCAqKioqCiAgLy8KICAvLwogICNpZiBSRUxFQVNFCiEgc3RhdGljIGNoYXIg
UkNTaWRbXSA9ICIkSWQ6IGh0c2VhcmNoLmNjLHYgMS4yNC4yLjE0IDIwMDEvMDcvMjYg
MDQ6MTg6MTEgZ3JkZXRpbCBFeHAgJCI7CiAgI2VuZGlmCiAgCiAgI2luY2x1ZGUgImh0
c2VhcmNoLmgiCi0tLSA4LDE0IC0tLS0KICAvLwogIC8vCiAgI2lmIFJFTEVBU0UKISBz
dGF0aWMgY2hhciBSQ1NpZFtdID0gIiRJZDogaHRzZWFyY2guY2MsdiAxLjI0LjIuMTUg
MjAwMS8wOS8wOSAwMzoxMjo0MSBnaHV0Y2hpcyBFeHAgJCI7CiAgI2VuZGlmCiAgCiAg
I2luY2x1ZGUgImh0c2VhcmNoLmgiCioqKioqKioqKioqKioqKgoqKiogNzgsODYgKioq
KgogICAJc3dpdGNoIChjKQogICAJewogICAJICAgIGNhc2UgJ2MnOgohICAJCWNvbmZp
Z0ZpbGUgPSBvcHRhcmc7CiEgICAgICAgICAgICAgICAgICBvdmVycmlkZV9jb25maWc9
MTsKISAgCQlicmVhazsKICAgCSAgICBjYXNlICd2JzoKICAgCQlkZWJ1ZysrOwogICAJ
CWJyZWFrOwotLS0gNzgsOTUgLS0tLQogICAJc3dpdGNoIChjKQogICAJewogICAJICAg
IGNhc2UgJ2MnOgohIAkgICAgICAvLyBUaGUgZGVmYXVsdCBpcyBvYnZpb3VzbHkgdG8g
ZG8gdGhpcyBzZWN1cmVseQohIAkgICAgICAvLyBidXQgaWYgcGVvcGxlIHdhbnQgdG8g
c2hvb3QgdGhlbXNlbHZlcyBpbiB0aGUgZm9vdC4uLgohICNpZm5kZWYgQUxMT1dfSU5T
RUNVUkVfQ0dJX0NPTkZJRwohIAkgICAgICBpZiAoIWdldGVudigiUkVRVUVTVF9NRVRI
T0QiKSkKISAJCXsKISAjZW5kaWYKISAJCSAgY29uZmlnRmlsZSA9IG9wdGFyZzsKISAJ
CSAgb3ZlcnJpZGVfY29uZmlnPTE7CiEgI2lmbmRlZiBBTExPV19JTlNFQ1VSRV9DR0lf
Q09ORklHCiEgCQl9CiEgI2VuZGlmCiEgCSAgICAgIGJyZWFrOwogICAJICAgIGNhc2Ug
J3YnOgogICAJCWRlYnVnKys7CiAgIAkJYnJlYWs7Cg==
--============_-1209633720==_D============--
--============_-1209633720==_============
Content-Id: <a05101001b7e66a53830e@[129.105.9.182].0.1>
Content-Type: multipart/appledouble; boundary="============_-1209633720==_D============"
--============_-1209633720==_D============
Content-Transfer-Encoding: base64
Content-Type: application/applefile; name="%htsearch-3.2.x.patch"
Content-Disposition: attachment; filename="%htsearch-3.2.x.patch"
AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAADAAAAPgAAABQAAAAJAAAAUgAAACAA
AAAIAAAAcgAAABBodHNlYXJjaC0zLjIueC5wYXRjaFRFWFQAAAAAAAD/////AAAAAAAA
AAAAAAAAAAAAAAAAS20MAEttDABLbQwAA1M5+Q==
--============_-1209633720==_D============
Content-Type: application/octet-stream; name="htsearch-3.2.x.patch"
Content-Disposition: attachment; filename="htsearch-3.2.x.patch"
Content-Transfer-Encoding: base64
SW5kZXg6IGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNoLmNjCmRpZmYgLWMgaHRkaWcvaHRz
ZWFyY2gvaHRzZWFyY2guY2M6MS41NC4yLjIxIGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNo
LmNjOjEuNTQuMi4yMgoqKiogaHRkaWcvaHRzZWFyY2gvaHRzZWFyY2guY2M6MS41NC4y
LjIxCVdlZCBKdWwgMTEgMTI6MzM6MjYgMjAwMQotLS0gaHRkaWcvaHRzZWFyY2gvaHRz
ZWFyY2guY2MJU2F0IFNlcCAgOCAyMDoyNDozNyAyMDAxCioqKioqKioqKioqKioqKgoq
KiogMTEsMTcgKioqKgogIC8vIG9yIHRoZSBHTlUgUHVibGljIExpY2Vuc2UgdmVyc2lv
biAyIG9yIGxhdGVyCiAgLy8gPGh0dHA6Ly93d3cuZ251Lm9yZy9jb3B5bGVmdC9ncGwu
aHRtbD4KICAvLwohIC8vICRJZDogaHRzZWFyY2guY2MsdiAxLjU0LjIuMjEgMjAwMS8w
Ny8xMSAxOTozMzoyNiBncmRldGlsIEV4cCAkCiAgLy8KICAKICAjaWZkZWYgSEFWRV9D
T05GSUdfSAotLS0gMTEsMTcgLS0tLQogIC8vIG9yIHRoZSBHTlUgUHVibGljIExpY2Vu
c2UgdmVyc2lvbiAyIG9yIGxhdGVyCiAgLy8gPGh0dHA6Ly93d3cuZ251Lm9yZy9jb3B5
bGVmdC9ncGwuaHRtbD4KICAvLwohIC8vICRJZDogaHRzZWFyY2guY2MsdiAxLjU0LjIu
MjIgMjAwMS8wOS8wOSAwMzoyNDozNyBnaHV0Y2hpcyBFeHAgJAogIC8vCiAgCiAgI2lm
ZGVmIEhBVkVfQ09ORklHX0gKKioqKioqKioqKioqKioqCioqKiA5MywxMDAgKioqKgog
ICAJc3dpdGNoIChjKQogICAJewogICAJICAgIGNhc2UgJ2MnOgohICAJCWNvbmZpZ0Zp
bGUgPSBvcHRhcmc7CiEgICAgICAgICAgICAgICAgICBvdmVycmlkZV9jb25maWc9MTsK
ICAgCQlicmVhazsKICAgCSAgICBjYXNlICd2JzoKICAgCQlkZWJ1ZysrOwotLS0gOTMs
MTA5IC0tLS0KICAgCXN3aXRjaCAoYykKICAgCXsKICAgCSAgICBjYXNlICdjJzoKISAg
ICAgICAgICAgICAgIC8vIFRoZSBkZWZhdWx0IGlzIG9idmlvdXNseSB0byBkbyB0aGlz
IHNlY3VyZWx5CiEgICAgICAgICAgICAgICAvLyBidXQgaWYgcGVvcGxlIHdhbnQgdG8g
c2hvb3QgdGhlbXNlbHZlcyBpbiB0aGUgZm9vdC4uLgohICNpZm5kZWYgQUxMT1dfSU5T
RUNVUkVfQ0dJX0NPTkZJRyAgCiEgICAgICAgICAgICAgICBpZiAoIWdldGVudigiUkVR
VUVTVF9NRVRIT0QiKSkKISAgICAgICAgICAgICAgICAgewohICNlbmRpZgohICAgICAg
ICAgICAgICAgICAgIGNvbmZpZ0ZpbGUgPSBvcHRhcmc7CiEgICAgICAgICAgICAgICAg
ICAgb3ZlcnJpZGVfY29uZmlnPTE7CiEgI2lmbmRlZiBBTExPV19JTlNFQ1VSRV9DR0lf
Q09ORklHCiEgICAgICAgICAgICAgICAgIH0KISAjZW5kaWYKICAgCQlicmVhazsKICAg
CSAgICBjYXNlICd2JzoKICAgCQlkZWJ1ZysrOwo=
--============_-1209633720==_D============--
--============_-1209633720==_============--
