Vulnerabilities > CVE-2001-0834 - Remote Denial of Service/File Disclosure vulnerability in ht://Dig
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
PARTIAL Summary
htsearch CGI program in htdig (ht://Dig) 3.1.5 and earlier allows remote attackers to use the -c option to specify an alternate configuration file, which could be used to (1) cause a denial of service (CPU consumption) by specifying a large file such as /dev/zero, or (2) read arbitrary files by uploading an alternate configuration file that specifies the target file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 4 | |
| OS | 1 | |
| OS | 6 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2001-083.NASL description A problem was discovered in the ht://Dig web indexing and searching program. Nergal reported a vulnerability in htsearch that allows a remote user to pass the -c parameter, to use a specific config file, to the htsearch program when running as a CGI. A malicious user could point to a file like /dev/zero and force the CGI to stall until it times out. Repeated attacks could result in a DoS. As well, if the user has write permission on the server and can create a file with certain entries, they can point the server to it and retrieve any file readable by the webserver UID. last seen 2020-06-01 modified 2020-06-02 plugin id 13896 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13896 title Mandrake Linux Security Advisory : htdig (MDKSA-2001:083) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2001:083. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13896); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2001-0834"); script_xref(name:"MDKSA", value:"2001:083"); script_name(english:"Mandrake Linux Security Advisory : htdig (MDKSA-2001:083)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A problem was discovered in the ht://Dig web indexing and searching program. Nergal reported a vulnerability in htsearch that allows a remote user to pass the -c parameter, to use a specific config file, to the htsearch program when running as a CGI. A malicious user could point to a file like /dev/zero and force the CGI to stall until it times out. Repeated attacks could result in a DoS. As well, if the user has write permission on the server and can create a file with certain entries, they can point the server to it and retrieve any file readable by the webserver UID." ); # http://sourceforge.net/tracker/index.php?func=detail&aid=458013&group_id=4593&atid=104593 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8db54e57" ); script_set_attribute( attribute:"solution", value:"Update the affected htdig, htdig-devel and / or htdig-web packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:htdig"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:htdig-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:htdig-web"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"patch_publication_date", value:"2001/11/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"htdig-3.1.5-6.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"htdig-3.1.5-9.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"htdig-3.2.0-0.5mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"htdig-devel-3.2.0-0.5mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"htdig-web-3.2.0-0.5mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-080.NASL description Nergal reported a vulnerability in the htsearch program which is distributed as part of the ht://Dig package, an indexing and searching system for small domains or intranets. Using former versions it was able to pass the parameter -c to the cgi program in order to use a different configuration file. A malicious user could point htsearch to a file like/dev/zero and let the server run in an endless loop, trying to read config parameters. If the user has write permission on the server they can point the program to it and retrieve any file readable by the webserver user id. last seen 2020-06-01 modified 2020-06-02 plugin id 14917 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14917 title Debian DSA-080-1 : htdig - unauthorized gathering of data code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-080. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14917); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2001-0834"); script_xref(name:"DSA", value:"080"); script_name(english:"Debian DSA-080-1 : htdig - unauthorized gathering of data"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Nergal reported a vulnerability in the htsearch program which is distributed as part of the ht://Dig package, an indexing and searching system for small domains or intranets. Using former versions it was able to pass the parameter -c to the cgi program in order to use a different configuration file. A malicious user could point htsearch to a file like/dev/zero and let the server run in an endless loop, trying to read config parameters. If the user has write permission on the server they can point the program to it and retrieve any file readable by the webserver user id." ); # http://sourceforge.net/tracker/index.php?func=detail&aid=458013&group_id=4593&atid=104593 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8db54e57" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2001/dsa-080" ); script_set_attribute( attribute:"solution", value: "Upgrade the htdig package immediately. This problem has been fixed in version 3.1.5-2.0potato.1 for Debian GNU/Linux 2.2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:htdig"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2001/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/09/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"htdig", reference:"3.1.5-2.0potato.1")) flag++; if (deb_check(release:"2.2", prefix:"htdig-doc", reference:"3.1.5-2.0potato.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id HTSEARCH_CONFIG_SWITCH.NASL description The remote CGI htsearch allows the user to supply his own configuration file using the last seen 2020-06-01 modified 2020-06-02 plugin id 10784 published 2001-10-17 reporter This script is Copyright (C) 2001-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10784 title ht://Dig htsearch Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10784); script_version ("1.32"); script_cve_id("CVE-2001-0834"); script_bugtraq_id(3410); script_xref(name:"DSA", value:"080"); script_xref(name:"RHSA", value:"2001:139"); script_name(english:"ht://Dig htsearch Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "The remote host contains a web search engine that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote CGI htsearch allows the user to supply his own configuration file using the '-c' switch, as in : /cgi-bin/htsearch?-c/some/config/file This file is not displayed by htsearch. However, if an attacker manages to upload a configuration file to the remote server, it may make htsearch read arbitrary files on the remote host. An attacker may also use this flaw to exhaust the resources on the remote host by specifying /dev/zero as a configuration file." ); script_set_attribute(attribute:"see_also", value:"ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2001-035.0.txt" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f7ee9854" ); script_set_attribute(attribute:"solution", value: "Upgrade to ht://Dig 3.1.6 or newer." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2001/10/17"); script_set_attribute(attribute:"vuln_publication_date", value: "2001/09/03"); script_cvs_date("Date: 2018/06/13 18:56:27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"htsearch?-c/nonexistent"); script_family(english:"CGI abuses"); script_category(ACT_GATHER_INFO); script_dependencie("find_service1.nasl", "http_version.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc."); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); foreach dir (cgi_dirs()) { res = http_send_recv3(method:"GET", item:string(dir, "/htsearch?-c/nonexistent"), port:port, exit_on_fail: 1); if("Unable to read configuration file '/nonexistent'" >< res[2]) { security_warning(port); exit(0); } }
Redhat
| advisories |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000429
- http://marc.info/?l=bugtraq&m=100260195401753&w=2
- http://sourceforge.net/tracker/index.php?func=detail&aid=458013&group_id=4593&atid=104593
- http://www.calderasystems.com/support/security/advisories/CSSA-2001-035.0.txt
- http://www.debian.org/security/2001/dsa-080
- http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-083.php3
- http://www.novell.com/linux/security/advisories/2001_035_htdig_txt.html
- http://www.redhat.com/support/errata/RHSA-2001-139.html
- http://www.securityfocus.com/bid/3410
- https://exchange.xforce.ibmcloud.com/vulnerabilities/7262
- https://exchange.xforce.ibmcloud.com/vulnerabilities/7263