![[LWN Logo]](/images/lwn.banner.gif)
Date: Fri, 25 Feb 2000 18:52:44 -0600 To: lwn@lwn.net From: Geoff Hutchison <ghutchis@wso.williams.edu> Subject: [SECURITY] Security hole in ht://Dig's htsearch (What follows was sent to the htdig, htdig3-announce and htdig3-dev mailing lists earlier today.) Hi, I'm sending this message out essentially twice. The contents are included in the ht://Dig 3.1.5 release notes at <http://www.htdig.org/RELEASE.html>;, but I wanted to make sure everyone got the message. There is a security hole in all versions of the htsearch CGI prior to version 3.1.5 (just released). This hole can allow remote users to read any file on your system that the UID running your webserver can read. It is *strongly* recommended that you upgrade to 3.1.5 ASAP. Anyone upgrading from a 3.1.x stable release will find the process fairly painless and to fix the hole, they can simply drop in the new CGI. The databases themselves are not affected. You may also wish to look at the new default templates as they make use of new features and generate cleaner HTML output. Anyone using version 3.2.0b1 is suggested to upgrade to the latest development snapshot. The next beta version, 3.2.0b2, will be released shortly to address this issue and other bugs. More detailed information will be posted to the BugTraq mailing list in a day or two. -Geoff Hutchison Williams Students Online http://wso.williams.edu/