CGI abuses : ht://Dig's htsearch potential exposure/dos

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.10784

Categoría: CGI abuses

Título: ht://Dig's htsearch potential exposure/dos

Resumen: NOSUMMARY

Descripción: Description:

The remote CGI htsearch allows the user to supply his own
configuration file using the '-c' switch, as in :

/cgi-bin/htsearch?-c/some/config/file

This file is not displayed by htsearch. However, if an
attacker manages to upload a configuration file to the remote
server, it may make htsearch read arbitrary files on the remote host.

An attacker may also use this flaw to exhaust the resources on the
remote host by specifying /dev/zero as a configuration file.

Solution: Upgrade to ht://Dig 3.1.6 or newer
(http://www.htdig.org/files/snapshots/)

Risk factor : High

Referencia Cruzada: BugTraq ID: 3410
Common Vulnerability Exposure (CVE) ID: CVE-2001-0834
http://www.securityfocus.com/bid/3410
Bugtraq: 20011007 Re: Bug found in ht://Dig htsearch CGI (Google Search)
http://marc.info/?l=bugtraq&m=100260195401753&w=2
Caldera Security Advisory: CSSA-2001-035.0
http://www.calderasystems.com/support/security/advisories/CSSA-2001-035.0.txt
Conectiva Linux advisory: CLA-2001:429
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000429
Debian Security Information: DSA-080 (Google Search)
http://www.debian.org/security/2001/dsa-080
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-083.php3
http://sourceforge.net/tracker/index.php?func=detail&aid=458013&group_id=4593&atid=104593
http://www.redhat.com/support/errata/RHSA-2001-139.html
SuSE Security Announcement: SuSE-SA:2001:035 (Google Search)
http://www.novell.com/linux/security/advisories/2001_035_htdig_txt.html
XForce ISS Database: htdig-htsearch-infinite-loop(7262)
https://exchange.xforce.ibmcloud.com/vulnerabilities/7262
XForce ISS Database: htdig-htsearch-retrieve-files(7263)
https://exchange.xforce.ibmcloud.com/vulnerabilities/7263

Copyright Copyright (C) 2001 Renaud Deraison

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.10784
Categoría:	CGI abuses
Título:	ht://Dig's htsearch potential exposure/dos
Resumen:	NOSUMMARY
Descripción:	Description: The remote CGI htsearch allows the user to supply his own configuration file using the '-c' switch, as in : /cgi-bin/htsearch?-c/some/config/file This file is not displayed by htsearch. However, if an attacker manages to upload a configuration file to the remote server, it may make htsearch read arbitrary files on the remote host. An attacker may also use this flaw to exhaust the resources on the remote host by specifying /dev/zero as a configuration file. Solution: Upgrade to ht://Dig 3.1.6 or newer (http://www.htdig.org/files/snapshots/) Risk factor : High
Referencia Cruzada:	BugTraq ID: 3410 Common Vulnerability Exposure (CVE) ID: CVE-2001-0834 http://www.securityfocus.com/bid/3410 Bugtraq: 20011007 Re: Bug found in ht://Dig htsearch CGI (Google Search) http://marc.info/?l=bugtraq&m=100260195401753&w=2 Caldera Security Advisory: CSSA-2001-035.0 http://www.calderasystems.com/support/security/advisories/CSSA-2001-035.0.txt Conectiva Linux advisory: CLA-2001:429 http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000429 Debian Security Information: DSA-080 (Google Search) http://www.debian.org/security/2001/dsa-080 http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-083.php3 http://sourceforge.net/tracker/index.php?func=detail&aid=458013&group_id=4593&atid=104593 http://www.redhat.com/support/errata/RHSA-2001-139.html SuSE Security Announcement: SuSE-SA:2001:035 (Google Search) http://www.novell.com/linux/security/advisories/2001_035_htdig_txt.html XForce ISS Database: htdig-htsearch-infinite-loop(7262) https://exchange.xforce.ibmcloud.com/vulnerabilities/7262 XForce ISS Database: htdig-htsearch-retrieve-files(7263) https://exchange.xforce.ibmcloud.com/vulnerabilities/7263
Copyright	Copyright (C) 2001 Renaud Deraison