SourceForge has been redesigned. Learn more.

#64 Security: "-c" parameter to htsearch CGI

htsearch (60)

htdig version: 3.1.5-2, from debian pkg
Htsearch accepts "-c" command line parameter even when
running as
a cgi process. So, the following request
will make htsearch run in an endless (well, almost)
loop reading the config entries from /dev/zero.
Even worse, if an attacker is able to put some
semi-controlled data on the server (anonymous ftp with
upload enabled or samba world-readable log files are
the possible targets), he can retrieve arbitrary
world-readable files from the server. It is enough to
craft some config file containing
nothing_found_file: /path/to/the/file/we/steal
transport it to the server, and again, call htsearch
with this crafted config file as a parameter. It is
even not necessary for the target server to have
configured htdig (htrun need not to have been run); all
run-time parameters, like db files location, can be
modified in the supplied config file.
I think that after developing a fix, a bugtraq report
is due.
Save yourself,


  • Gilles Detillieux

    Logged In: YES

    Thanks for the report. The -c option was added for command line testing of htsearch, and has since been
    used for wrapper scripts. Geoff and I have worked out a solution to disable -c when htsearch is used as a
    CGI program, but it can still be used from the command line, or even from a wrapper script if the
    REQUEST_METHOD env. variable is unset. This is fixed in the 3.1.6 and 3.2.0b4 development code, and is in
    the 090901 snapshots.

  • Gilles Detillieux

    • milestone: 103281 --> resolved
    • assigned_to: nobody --> ghutchis
    • summary: Security: "-c" parameter to htsearch CGI --> Security: "-c" parameter to htsearch CGI
    • status: open --> closed-fixed

Log in to post a comment.