Date: Sun, 23 Sep 2001 23:51:50 -0400 (EDT) From: Geoff Hutchison To: htdig-dev@lists.sourceforge.net, htdig-general@lists.sourceforge.net, htdig-announce@lists.sourceforge.net Subject: [htdig-dev] [SECURITY] Config vulnerability in htsearch Hi, This message is being sent out in advance of updated releases of ht://Dig 3.1.X and 3.2.0bX. Updated versions of both release trees may be found in the current snpashots at . There is a security vulnerability in all versions of htsearch between 3.1.0b2 and 3.1.5, including all versions of the 3.2.0b1 through 3.2.0b3. The hole can allow a remote user to pick a file on your system for the config file that the UID running the webserver can read. In the case of a user with local access as well, this could enable local file disclosure. It is *strongly* recommended that you either patch your version of htsearch with the patches enclosed (for both 3.1.x and 3.2.0 beta versions) or download the most recent snapshots of 3.1.6 or 3.2.0b4 in the snapshots directory given above. Anyone upgrading from a 3.1.x stable release will find the process fairly painless and to fix the hole, they can simply drop in the new CGI. The databases themselves are not affected. We are working to finalize a 3.1.6 release that will include this fix as well as additional bugfixes. A final release of 3.2.0b4 will likely take a little longer, but should be forthcoming fairly soon. More detailed information will be posted to the BugTraq mailing list shortly. -- -Geoff Hutchison Williams Students Online http://wso.williams.edu/ Index: htdig/htsearch/htsearch.cc diff -c htdig/htsearch/htsearch.cc:1.24.2.14 htdig/htsearch/htsearch.cc:1.24.2.15 *** htdig/htsearch/htsearch.cc:1.24.2.14 Wed Jul 25 21:18:11 2001 --- htdig/htsearch/htsearch.cc Sat Sep 8 20:12:41 2001 *************** *** 8,14 **** // // #if RELEASE ! static char RCSid[] = "$Id: htsearch.cc,v 1.24.2.14 2001/07/26 04:18:11 grdetil Exp $"; #endif #include "htsearch.h" --- 8,14 ---- // // #if RELEASE ! static char RCSid[] = "$Id: htsearch.cc,v 1.24.2.15 2001/09/09 03:12:41 ghutchis Exp $"; #endif #include "htsearch.h" *************** *** 78,86 **** switch (c) { case 'c': ! configFile = optarg; ! override_config=1; ! break; case 'v': debug++; break; --- 78,95 ---- switch (c) { case 'c': ! // The default is obviously to do this securely ! // but if people want to shoot themselves in the foot... ! #ifndef ALLOW_INSECURE_CGI_CONFIG ! if (!getenv("REQUEST_METHOD")) ! { ! #endif ! configFile = optarg; ! override_config=1; ! #ifndef ALLOW_INSECURE_CGI_CONFIG ! } ! #endif ! break; case 'v': debug++; break;