November 2, 2001

Mandrake Linux: htdig update

Author: JT Smith

Posted on Net-security.org: "A problem was discovered in the ht://Dig web indexing and
searching
program. Nergal reported a vulnerability in htsearch that
allows a
remote user to pass the -c parameter, to use a specific
config file,
to the htsearch program when running as a CGI. A malicious
user could
point to a file like /dev/zero and force the CGI to stall
until it
times out. Repeated attacks could result in a DoS. As
well, if the
user has write permission on the server and can create a
file with
certain entries, they can point the server to it and
retrieve any file
readable by the webserver UID."

Category:

  • Linux
Click Here!