Tracker: Bugs
Hello,
htdig version: 3.1.5-2, from debian pkg
Htsearch accepts "-c" command line parameter even when
running as
a cgi process. So, the following request
http://your.host/cgi-bin/htsearch?-c/dev/zero
will make htsearch run in an endless (well, almost)
loop reading the config entries from /dev/zero.
Even worse, if an attacker is able to put some
semi-controlled data on the server (anonymous ftp with
upload enabled or samba world-readable log files are
the possible targets), he can retrieve arbitrary
world-readable files from the server. It is enough to
craft some config file containing
nothing_found_file: /path/to/the/file/we/steal
transport it to the server, and again, call htsearch
with this crafted config file as a parameter. It is
even not necessary for the target server to have
configured htdig (htrun need not to have been run); all
run-time parameters, like db files location, can be
modified in the supplied config file.
I think that after developing a fix, a bugtraq report
is due.
Save yourself,
Nergal
nergal@7bulls.com
Nobody/Anonymous ( nobody ) - 2001-09-03 11:31
5
Closed
Fixed
Geoff Hutchison
htsearch
resolved
Public
Comments ( 2 )
|
Date: 2009-05-30 16:44 <a href="<http://groups.google.com/group/buy-best-generic-valium>">buy |
|
Date: 2001-09-14 14:50 Logged In: YES |
Log in to comment.
Attached File
No Files Currently Attached
Changes ( 6 )
| Field | Old Value | Date | By |
|---|---|---|---|
| status_id | Open | 2001-09-14 14:50 | grdetil |
| resolution_id | None | 2001-09-14 14:50 | grdetil |
| artifact_group_id | need info | 2001-09-14 14:50 | grdetil |
| assigned_to | nobody | 2001-09-14 14:50 | grdetil |
| summary | Security: "-c" parameter to htsearch CGI | 2001-09-14 14:50 | grdetil |
| close_date | - | 2001-09-14 14:50 | grdetil |
