htdig version: 3.1.5-2, from debian pkg
Htsearch accepts "-c" command line parameter even when
a cgi process. So, the following request
will make htsearch run in an endless (well, almost)
loop reading the config entries from /dev/zero.
Even worse, if an attacker is able to put some
semi-controlled data on the server (anonymous ftp with
upload enabled or samba world-readable log files are
the possible targets), he can retrieve arbitrary
world-readable files from the server. It is enough to
craft some config file containing
transport it to the server, and again, call htsearch
with this crafted config file as a parameter. It is
even not necessary for the target server to have
configured htdig (htrun need not to have been run); all
run-time parameters, like db files location, can be
modified in the supplied config file.
I think that after developing a fix, a bugtraq report
Log in to post a comment.