Software: ht://Dig URL: http://www.htdig.org/ Version: 3.1.4, 3.2.0b1 and previous Platforms: Unix, Win32, MacOS, Mac OS X Server Type: CGI, Input validation problem Vendor status: Notified, patch already available Date: 02/28/2000 Summary: Any remote user can view arbitrary files on your system with the privileges of the web user. Vulnerability: The CGI does not properly verify form input. Many of the form fields are applied as configuration attributes regardless of contents. The configuration code allows config files to include other files through the use of backticks, e.g.: start_url: `/var/htdig/htdig.urls` No distinction was made between CGI input and configuration file input and both would be expanded for variables or file includes. Exploit: e.g. (this no longer works) <http://www.htdig.org/cgi-bin/htsearch?exclude=%60/etc/passwd%60> The file will show up in the source of the resulting page in the "exclude" field of the search form. Other variations could be applied. Workaround: The recent 3.1.5 release fixes this problem. For the beta release of 3.2.0b1, users should update to the latest development snapshot, htdig-3.2.0b2-022700 and a 3.2.0b2 release will come out shortly. A patch is also available to update from 3.1.4 to 3.1.5. -- -Geoff Hutchison Williams Students Online http://wso.williams.edu/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:07 PDT