According to Malcolm Austen:
> On Sun, 23 Sep 2001, Geoff Hutchison wrote:
> + There is a security vulnerability in all versions of htsearch between
> + 3.1.0b2 and 3.1.5, including all versions of the 3.2.0b1 through
> + 3.2.0b3. The hole can allow a remote user to pick a file on your system
> + for the config file that the UID running the webserver can read. In the
> + case of a user with local access as well, this could enable local file
> + disclosure.
>
> Could I trouble you to show us just what the exploit looks like please?
>
> I think my setup will be impervious to this exploit because I never
> invoke htsearch directly, only via a wrapper that verifies the config file
> name matches the alias by which the script has been invoked - I have one
> wrapper script and an 'ln -s' for each permitted config file. The real
> htsearch isn't in my cgi-bin directory, htsearch in my cgi-bin is a dummy
> that just emails me the @ENV details of the caller.
>
> That said, it would be nice to confirm my setup foils the exploit and
> that I can rest easy until a 3.1.6 binary RPM is released.
If your setup allows the passing of command line arguments from the
CGI wrapper script to htsearch, then the exploit may still be possible.
Generally, wrapper scripts will pass other argument to htsearch than those
they got directly.
You can read up on bug item #458013, which describes the vulnerability, at...
http://sourceforge.net/tracker/?func=detail&atid=104593&aid=458013&group_id=4593
--
Gilles R. Detillieux E-mail: <[EMAIL PROTECTED]>
Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba Phone: (204)789-3766
Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930
_______________________________________________
htdig-general mailing list <[EMAIL PROTECTED]>
To unsubscribe, send a message to <[EMAIL PROTECTED]> with a
subject of unsubscribe
FAQ: http://htdig.sourceforge.net/FAQ.html
