Hi,
This message is being sent out in advance of updated releases of ht://Dig
3.1.X and 3.2.0bX. Updated versions of both release trees may be found in
the current snpashots at <http://www.htdig.org/files/snapshots/>.
There is a security vulnerability in all versions of htsearch between
3.1.0b2 and 3.1.5, including all versions of the 3.2.0b1 through
3.2.0b3. The hole can allow a remote user to pick a file on your system
for the config file that the UID running the webserver can read. In the
case of a user with local access as well, this could enable local file
disclosure.
It is *strongly* recommended that you either patch your version of
htsearch with the patches enclosed (for both 3.1.x and 3.2.0 beta
versions) or download the most recent snapshots of 3.1.6 or 3.2.0b4 in the
snapshots directory given above. Anyone upgrading from a 3.1.x stable
release will find the process fairly painless and to fix the hole, they
can simply drop in the new CGI. The databases themselves are not affected.
We are working to finalize a 3.1.6 release that will include this fix as
well as additional bugfixes. A final release of 3.2.0b4 will likely take a
little longer, but should be forthcoming fairly soon.
More detailed information will be posted to the BugTraq mailing list
shortly.
--
-Geoff Hutchison
Williams Students Online
http://wso.williams.edu/
Index: htdig/htsearch/htsearch.cc
diff -c htdig/htsearch/htsearch.cc:1.24.2.14 htdig/htsearch/htsearch.cc:1.24.2.15
*** htdig/htsearch/htsearch.cc:1.24.2.14 Wed Jul 25 21:18:11 2001
--- htdig/htsearch/htsearch.cc Sat Sep 8 20:12:41 2001
***************
*** 8,14 ****
//
//
#if RELEASE
! static char RCSid[] = "$Id: htsearch.cc,v 1.24.2.14 2001/07/26 04:18:11 grdetil Exp
$";
#endif
#include "htsearch.h"
--- 8,14 ----
//
//
#if RELEASE
! static char RCSid[] = "$Id: htsearch.cc,v 1.24.2.15 2001/09/09 03:12:41 ghutchis Exp
$";
#endif
#include "htsearch.h"
***************
*** 78,86 ****
switch (c)
{
case 'c':
! configFile = optarg;
! override_config=1;
! break;
case 'v':
debug++;
break;
--- 78,95 ----
switch (c)
{
case 'c':
! // The default is obviously to do this securely
! // but if people want to shoot themselves in the foot...
! #ifndef ALLOW_INSECURE_CGI_CONFIG
! if (!getenv("REQUEST_METHOD"))
! {
! #endif
! configFile = optarg;
! override_config=1;
! #ifndef ALLOW_INSECURE_CGI_CONFIG
! }
! #endif
! break;
case 'v':
debug++;
break;
Index: htdig/htsearch/htsearch.cc
diff -c htdig/htsearch/htsearch.cc:1.54.2.21 htdig/htsearch/htsearch.cc:1.54.2.22
*** htdig/htsearch/htsearch.cc:1.54.2.21 Wed Jul 11 12:33:26 2001
--- htdig/htsearch/htsearch.cc Sat Sep 8 20:24:37 2001
***************
*** 11,17 ****
// or the GNU Public License version 2 or later
// <http://www.gnu.org/copyleft/gpl.html>
//
! // $Id: htsearch.cc,v 1.54.2.21 2001/07/11 19:33:26 grdetil Exp $
//
#ifdef HAVE_CONFIG_H
--- 11,17 ----
// or the GNU Public License version 2 or later
// <http://www.gnu.org/copyleft/gpl.html>
//
! // $Id: htsearch.cc,v 1.54.2.22 2001/09/09 03:24:37 ghutchis Exp $
//
#ifdef HAVE_CONFIG_H
***************
*** 93,100 ****
switch (c)
{
case 'c':
! configFile = optarg;
! override_config=1;
break;
case 'v':
debug++;
--- 93,109 ----
switch (c)
{
case 'c':
! // The default is obviously to do this securely
! // but if people want to shoot themselves in the foot...
! #ifndef ALLOW_INSECURE_CGI_CONFIG
! if (!getenv("REQUEST_METHOD"))
! {
! #endif
! configFile = optarg;
! override_config=1;
! #ifndef ALLOW_INSECURE_CGI_CONFIG
! }
! #endif
break;
case 'v':
debug++;
