From: Geoff Hutchison <ghutchis@wso.williams.edu> To: bugtraq@securityfocus.com Subject: Re: Bug found in ht://Dig htsearch CGI Date: Sun, 7 Oct 2001 15:46:40 -0500 Cc: htdig-general@lists.sourceforge.net, htdig3-dev <htdig-dev@lists.sourceforge.net> * Name: ht://Dig (htsearch CGI) * Versions affected: 3.1.0b2 and more recent, including 3.1.5 and 3.2.0b3 * Vulnerability: (Potential remote exposure. Denial of Service.) * Details: The htsearch CGI runs as both the CGI and as a command-line program. The command-line program accepts the -c [filename] to read in an alternate configuration file. On the other hand, no filtering is done to stop the CGI program from taking command-line arguments, so a remote user can force the CGI to stall until it times out (resulting in a DOS) or read in a different configuration file. For a remote exposure, a specified configuration file would need to be readable via the webserver UID, e.g. via anonymous FTP with upload enabled or samba world-readable log files are the possible targets) to potentially retrieve files readable by the webserver UID. e.g. nothing_found_file: /path/to/the/file/we/steal * Potential exploit: http://your.host/cgi-bin/htsearch?-c/dev/zero http://your.host/cgi-bin/htsearch?-c/path/to/my.file * Fix: Upgrade to current prerelease versions of 3.1.6 or 3.2.0b4, or apply attached patches. Prerelease versions are available from <http://www.htdig.org/files/snapshots/> --============_-1209633720==_D============ Content-Transfer-Encoding: base64 Content-Type: application/applefile; name="%htsearch-3.1.x.patch" Content-Disposition: attachment; filename="%htsearch-3.1.x.patch" AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAADAAAAPgAAABQAAAAJAAAAUgAAACAA AAAIAAAAcgAAABBodHNlYXJjaC0zLjEueC5wYXRjaFRFWFQAAAAAAAD/////AAAAAAAA AAAAAAAAAAAAAAAAS20MAEttDABLbQwAA1M5+Q== --============_-1209633720==_D============ Content-Type: application/octet-stream; name="htsearch-3.1.x.patch" Content-Disposition: attachment; filename="htsearch-3.1.x.patch" Content-Transfer-Encoding: base64 SW5kZXg6IGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNoLmNjCmRpZmYgLWMgaHRkaWcvaHRz ZWFyY2gvaHRzZWFyY2guY2M6MS4yNC4yLjE0IGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNo LmNjOjEuMjQuMi4xNQoqKiogaHRkaWcvaHRzZWFyY2gvaHRzZWFyY2guY2M6MS4yNC4y LjE0CVdlZCBKdWwgMjUgMjE6MTg6MTEgMjAwMQotLS0gaHRkaWcvaHRzZWFyY2gvaHRz ZWFyY2guY2MJU2F0IFNlcCAgOCAyMDoxMjo0MSAyMDAxCioqKioqKioqKioqKioqKgoq KiogOCwxNCAqKioqCiAgLy8KICAvLwogICNpZiBSRUxFQVNFCiEgc3RhdGljIGNoYXIg UkNTaWRbXSA9ICIkSWQ6IGh0c2VhcmNoLmNjLHYgMS4yNC4yLjE0IDIwMDEvMDcvMjYg MDQ6MTg6MTEgZ3JkZXRpbCBFeHAgJCI7CiAgI2VuZGlmCiAgCiAgI2luY2x1ZGUgImh0 c2VhcmNoLmgiCi0tLSA4LDE0IC0tLS0KICAvLwogIC8vCiAgI2lmIFJFTEVBU0UKISBz dGF0aWMgY2hhciBSQ1NpZFtdID0gIiRJZDogaHRzZWFyY2guY2MsdiAxLjI0LjIuMTUg MjAwMS8wOS8wOSAwMzoxMjo0MSBnaHV0Y2hpcyBFeHAgJCI7CiAgI2VuZGlmCiAgCiAg I2luY2x1ZGUgImh0c2VhcmNoLmgiCioqKioqKioqKioqKioqKgoqKiogNzgsODYgKioq KgogICAJc3dpdGNoIChjKQogICAJewogICAJICAgIGNhc2UgJ2MnOgohICAJCWNvbmZp Z0ZpbGUgPSBvcHRhcmc7CiEgICAgICAgICAgICAgICAgICBvdmVycmlkZV9jb25maWc9 MTsKISAgCQlicmVhazsKICAgCSAgICBjYXNlICd2JzoKICAgCQlkZWJ1ZysrOwogICAJ CWJyZWFrOwotLS0gNzgsOTUgLS0tLQogICAJc3dpdGNoIChjKQogICAJewogICAJICAg IGNhc2UgJ2MnOgohIAkgICAgICAvLyBUaGUgZGVmYXVsdCBpcyBvYnZpb3VzbHkgdG8g ZG8gdGhpcyBzZWN1cmVseQohIAkgICAgICAvLyBidXQgaWYgcGVvcGxlIHdhbnQgdG8g c2hvb3QgdGhlbXNlbHZlcyBpbiB0aGUgZm9vdC4uLgohICNpZm5kZWYgQUxMT1dfSU5T RUNVUkVfQ0dJX0NPTkZJRwohIAkgICAgICBpZiAoIWdldGVudigiUkVRVUVTVF9NRVRI T0QiKSkKISAJCXsKISAjZW5kaWYKISAJCSAgY29uZmlnRmlsZSA9IG9wdGFyZzsKISAJ CSAgb3ZlcnJpZGVfY29uZmlnPTE7CiEgI2lmbmRlZiBBTExPV19JTlNFQ1VSRV9DR0lf Q09ORklHCiEgCQl9CiEgI2VuZGlmCiEgCSAgICAgIGJyZWFrOwogICAJICAgIGNhc2Ug J3YnOgogICAJCWRlYnVnKys7CiAgIAkJYnJlYWs7Cg== --============_-1209633720==_D============-- --============_-1209633720==_D============ Content-Transfer-Encoding: base64 Content-Type: application/applefile; name="%htsearch-3.2.x.patch" Content-Disposition: attachment; filename="%htsearch-3.2.x.patch" AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAADAAAAPgAAABQAAAAJAAAAUgAAACAA AAAIAAAAcgAAABBodHNlYXJjaC0zLjIueC5wYXRjaFRFWFQAAAAAAAD/////AAAAAAAA AAAAAAAAAAAAAAAAS20MAEttDABLbQwAA1M5+Q== --============_-1209633720==_D============ Content-Type: application/octet-stream; name="htsearch-3.2.x.patch" Content-Disposition: attachment; filename="htsearch-3.2.x.patch" Content-Transfer-Encoding: base64 SW5kZXg6IGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNoLmNjCmRpZmYgLWMgaHRkaWcvaHRz ZWFyY2gvaHRzZWFyY2guY2M6MS41NC4yLjIxIGh0ZGlnL2h0c2VhcmNoL2h0c2VhcmNo LmNjOjEuNTQuMi4yMgoqKiogaHRkaWcvaHRzZWFyY2gvaHRzZWFyY2guY2M6MS41NC4y LjIxCVdlZCBKdWwgMTEgMTI6MzM6MjYgMjAwMQotLS0gaHRkaWcvaHRzZWFyY2gvaHRz ZWFyY2guY2MJU2F0IFNlcCAgOCAyMDoyNDozNyAyMDAxCioqKioqKioqKioqKioqKgoq KiogMTEsMTcgKioqKgogIC8vIG9yIHRoZSBHTlUgUHVibGljIExpY2Vuc2UgdmVyc2lv biAyIG9yIGxhdGVyCiAgLy8gPGh0dHA6Ly93d3cuZ251Lm9yZy9jb3B5bGVmdC9ncGwu aHRtbD4KICAvLwohIC8vICRJZDogaHRzZWFyY2guY2MsdiAxLjU0LjIuMjEgMjAwMS8w Ny8xMSAxOTozMzoyNiBncmRldGlsIEV4cCAkCiAgLy8KICAKICAjaWZkZWYgSEFWRV9D T05GSUdfSAotLS0gMTEsMTcgLS0tLQogIC8vIG9yIHRoZSBHTlUgUHVibGljIExpY2Vu c2UgdmVyc2lvbiAyIG9yIGxhdGVyCiAgLy8gPGh0dHA6Ly93d3cuZ251Lm9yZy9jb3B5 bGVmdC9ncGwuaHRtbD4KICAvLwohIC8vICRJZDogaHRzZWFyY2guY2MsdiAxLjU0LjIu MjIgMjAwMS8wOS8wOSAwMzoyNDozNyBnaHV0Y2hpcyBFeHAgJAogIC8vCiAgCiAgI2lm ZGVmIEhBVkVfQ09ORklHX0gKKioqKioqKioqKioqKioqCioqKiA5MywxMDAgKioqKgog ICAJc3dpdGNoIChjKQogICAJewogICAJICAgIGNhc2UgJ2MnOgohICAJCWNvbmZpZ0Zp bGUgPSBvcHRhcmc7CiEgICAgICAgICAgICAgICAgICBvdmVycmlkZV9jb25maWc9MTsK ICAgCQlicmVhazsKICAgCSAgICBjYXNlICd2JzoKICAgCQlkZWJ1ZysrOwotLS0gOTMs MTA5IC0tLS0KICAgCXN3aXRjaCAoYykKICAgCXsKICAgCSAgICBjYXNlICdjJzoKISAg ICAgICAgICAgICAgIC8vIFRoZSBkZWZhdWx0IGlzIG9idmlvdXNseSB0byBkbyB0aGlz IHNlY3VyZWx5CiEgICAgICAgICAgICAgICAvLyBidXQgaWYgcGVvcGxlIHdhbnQgdG8g c2hvb3QgdGhlbXNlbHZlcyBpbiB0aGUgZm9vdC4uLgohICNpZm5kZWYgQUxMT1dfSU5T RUNVUkVfQ0dJX0NPTkZJRyAgCiEgICAgICAgICAgICAgICBpZiAoIWdldGVudigiUkVR VUVTVF9NRVRIT0QiKSkKISAgICAgICAgICAgICAgICAgewohICNlbmRpZgohICAgICAg ICAgICAgICAgICAgIGNvbmZpZ0ZpbGUgPSBvcHRhcmc7CiEgICAgICAgICAgICAgICAg ICAgb3ZlcnJpZGVfY29uZmlnPTE7CiEgI2lmbmRlZiBBTExPV19JTlNFQ1VSRV9DR0lf Q09ORklHCiEgICAgICAgICAgICAgICAgIH0KISAjZW5kaWYKICAgCQlicmVhazsKICAg CSAgICBjYXNlICd2JzoKICAgCQlkZWJ1ZysrOwo= --============_-1209633720==_D============--