Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#64 Security: "-c" parameter to htsearch CGI

resolved
closed-fixed
htsearch (60)
5
2001-09-14
2001-09-03
Anonymous
No

Hello,
htdig version: 3.1.5-2, from debian pkg
Htsearch accepts "-c" command line parameter even when
running as
a cgi process. So, the following request
http://your.host/cgi-bin/htsearch?-c/dev/zero
will make htsearch run in an endless (well, almost)
loop reading the config entries from /dev/zero.
Even worse, if an attacker is able to put some
semi-controlled data on the server (anonymous ftp with
upload enabled or samba world-readable log files are
the possible targets), he can retrieve arbitrary
world-readable files from the server. It is enough to
craft some config file containing
nothing_found_file: /path/to/the/file/we/steal
transport it to the server, and again, call htsearch
with this crafted config file as a parameter. It is
even not necessary for the target server to have
configured htdig (htrun need not to have been run); all
run-time parameters, like db files location, can be
modified in the supplied config file.
I think that after developing a fix, a bugtraq report
is due.
Save yourself,
Nergal
nergal@7bulls.com

Discussion

  • Logged In: YES
    user_id=149687

    Thanks for the report. The -c option was added for command line testing of htsearch, and has since been
    used for wrapper scripts. Geoff and I have worked out a solution to disable -c when htsearch is used as a
    CGI program, but it can still be used from the command line, or even from a wrapper script if the
    REQUEST_METHOD env. variable is unset. This is fixed in the 3.1.6 and 3.2.0b4 development code, and is in
    the 090901 snapshots.

     
    • milestone: 103281 --> resolved
    • assigned_to: nobody --> ghutchis
    • summary: Security: "-c" parameter to htsearch CGI --> Security: "-c" parameter to htsearch CGI
    • status: open --> closed-fixed