Vulnerabilities > CVE-2001-0834

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

htsearch CGI program in htdig (ht://Dig) 3.1.5 and earlier allows remote attackers to use the -c option to specify an alternate configuration file, which could be used to (1) cause a denial of service (CPU consumption) by specifying a large file such as /dev/zero, or (2) read arbitrary files by uploading an alternate configuration file that specifies the target file.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2001-083.NASL
    descriptionA problem was discovered in the ht://Dig web indexing and searching program. Nergal reported a vulnerability in htsearch that allows a remote user to pass the -c parameter, to use a specific config file, to the htsearch program when running as a CGI. A malicious user could point to a file like /dev/zero and force the CGI to stall until it times out. Repeated attacks could result in a DoS. As well, if the user has write permission on the server and can create a file with certain entries, they can point the server to it and retrieve any file readable by the webserver UID.
    last seen2020-06-01
    modified2020-06-02
    plugin id13896
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13896
    titleMandrake Linux Security Advisory : htdig (MDKSA-2001:083)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2001:083. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13896);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2001-0834");
      script_xref(name:"MDKSA", value:"2001:083");
    
      script_name(english:"Mandrake Linux Security Advisory : htdig (MDKSA-2001:083)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A problem was discovered in the ht://Dig web indexing and searching
    program. Nergal reported a vulnerability in htsearch that allows a
    remote user to pass the -c parameter, to use a specific config file,
    to the htsearch program when running as a CGI. A malicious user could
    point to a file like /dev/zero and force the CGI to stall until it
    times out. Repeated attacks could result in a DoS. As well, if the
    user has write permission on the server and can create a file with
    certain entries, they can point the server to it and retrieve any file
    readable by the webserver UID."
      );
      # http://sourceforge.net/tracker/index.php?func=detail&aid=458013&group_id=4593&atid=104593
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8db54e57"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected htdig, htdig-devel and / or htdig-web packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:htdig");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:htdig-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:htdig-web");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2001/11/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"htdig-3.1.5-6.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"htdig-3.1.5-9.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"htdig-3.2.0-0.5mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"htdig-devel-3.2.0-0.5mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"htdig-web-3.2.0-0.5mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-080.NASL
    descriptionNergal reported a vulnerability in the htsearch program which is distributed as part of the ht://Dig package, an indexing and searching system for small domains or intranets. Using former versions it was able to pass the parameter -c to the cgi program in order to use a different configuration file. A malicious user could point htsearch to a file like/dev/zero and let the server run in an endless loop, trying to read config parameters. If the user has write permission on the server they can point the program to it and retrieve any file readable by the webserver user id.
    last seen2020-06-01
    modified2020-06-02
    plugin id14917
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14917
    titleDebian DSA-080-1 : htdig - unauthorized gathering of data
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-080. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14917);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:16");
    
      script_cve_id("CVE-2001-0834");
      script_xref(name:"DSA", value:"080");
    
      script_name(english:"Debian DSA-080-1 : htdig - unauthorized gathering of data");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Nergal reported a vulnerability in the htsearch program which is
     distributed as part of the ht://Dig package, an indexing and
     searching system for small domains or intranets. Using former
     versions it was able to pass the parameter -c to the cgi program in
     order to use a different configuration file.
    
    A malicious user could point htsearch to a file like/dev/zero and let
    the server run in an endless loop, trying to read config parameters.
    If the user has write permission on the server they can point the
    program to it and retrieve any file readable by the webserver user id."
      );
      # http://sourceforge.net/tracker/index.php?func=detail&aid=458013&group_id=4593&atid=104593
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8db54e57"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2001/dsa-080"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the htdig package immediately.
    
    This problem has been fixed in version 3.1.5-2.0potato.1 for Debian
    GNU/Linux 2.2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:htdig");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2001/10/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2001/09/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"htdig", reference:"3.1.5-2.0potato.1")) flag++;
    if (deb_check(release:"2.2", prefix:"htdig-doc", reference:"3.1.5-2.0potato.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCGI abuses
    NASL idHTSEARCH_CONFIG_SWITCH.NASL
    descriptionThe remote CGI htsearch allows the user to supply his own configuration file using the
    last seen2020-06-01
    modified2020-06-02
    plugin id10784
    published2001-10-17
    reporterThis script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/10784
    titleht://Dig htsearch Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if(description)
    {
     script_id(10784);
     script_version ("1.32");
    
     script_cve_id("CVE-2001-0834");
     script_bugtraq_id(3410);
     script_xref(name:"DSA", value:"080");
     script_xref(name:"RHSA", value:"2001:139");
     
     script_name(english:"ht://Dig htsearch Multiple Vulnerabilities");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote host contains a web search engine that is affected by 
    multiple vulnerabilities." );
     script_set_attribute(attribute:"description", value:
    "The remote CGI htsearch allows the user to supply his own
    configuration file using the '-c' switch, as in :
    
    	/cgi-bin/htsearch?-c/some/config/file
    
    This file is not displayed by htsearch. However, if an
    attacker manages to upload a configuration file to the remote 
    server, it may make htsearch read arbitrary files on the remote host.
    
    An attacker may also use this flaw to exhaust the resources on the
    remote host by specifying /dev/zero as a configuration file." );
     script_set_attribute(attribute:"see_also", value:"ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2001-035.0.txt" );
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f7ee9854" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to ht://Dig 3.1.6 or newer." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2001/10/17");
     script_set_attribute(attribute:"vuln_publication_date", value: "2001/09/03");
     script_cvs_date("Date: 2018/06/13 18:56:27");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_end_attributes();
    
     script_summary(english:"htsearch?-c/nonexistent");
    
     script_family(english:"CGI abuses");
      
     script_category(ACT_GATHER_INFO);
     script_dependencie("find_service1.nasl", "http_version.nasl");
     script_require_ports("Services/www", 80);
     script_exclude_keys("Settings/disable_cgi_scanning");
     script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.");
     exit(0);
    }
    
    #
    # The script code starts here
    #
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:80);
    
    foreach dir (cgi_dirs())
    {
     res = http_send_recv3(method:"GET", item:string(dir, "/htsearch?-c/nonexistent"), port:port, exit_on_fail: 1);
     if("Unable to read configuration file '/nonexistent'" >< res[2])
     {
       security_warning(port);
       exit(0);
     }
    }
    
    

Redhat

advisories
rhsa
idRHSA-2001:139