#227 local path disclosure vulnerability

open
nobody
htsearch (60)
5
2004-06-24
2004-06-24
Anonymous
No

If you specify a config that doesn't exist htsearch
discloses the directory that the config files are located
in.

RH 9.0 installed from RPM
htdig version 3.2.0b5

This is an old vulnerability that was resolved in 3.1.5,
but it's back.

I figured I'd give you a heads up so you don't end up
back in bugtraq for the same thing. I like you guys! thx
for the great search tool...

--begin Sample: --
ht://Dig error
htsearch detected an error. Please report this to the
webmaster of this site by sending an e-mail to:
bogus@unconfigured.htdig.user The error message is:

Unable to read configuration file '/etc/revuew.conf'

--end sample--

This was resolved in the past by simply truncating the
path from the error message.

-neil

Discussion

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks