Skip Quicknav

• About Debian
• News
• Getting Debian
• Support
• Developers' Corner
• Site map
• Search

Debian Security Advisory

DSA-080-1 htdig -- unauthorized gathering of data

Date Reported:

17 Oct 2001

Affected Packages:

htdig

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2001-0834.

More information:

Nergal reported a vulnerability in the htsearch program which is distributed as part of the ht://Dig package, an indexing and searching system for small domains or intranets. Using former versions it was able to pass the parameter -c to the cgi program in order to use a different configuration file.

A malicious user could point htsearch to a file like /dev/zero and let the server run in an endless loop, trying to read config parameters. If the user has write permission on the server they can point the program to it and retrieve any file readable by the webserver user id.

This problem has been fixed in version 3.1.5-2.0potato.1 for Debian GNU/Linux 2.2.

We recommend that you upgrade your htdig package immediately.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:

http://security.debian.org/dists/stable/updates/main/source/htdig_3.1.5-2.0potato.1.diff.gz

http://security.debian.org/dists/stable/updates/main/source/htdig_3.1.5-2.0potato.1.dsc

http://security.debian.org/dists/stable/updates/main/source/htdig_3.1.5.orig.tar.gz

Architecture-independent component:

http://security.debian.org/dists/stable/updates/main/binary-all/htdig-doc_3.1.5-2.0potato.1_all.deb

Alpha:

http://security.debian.org/dists/stable/updates/main/binary-alpha/htdig_3.1.5-2.0potato.1_alpha.deb

ARM:

http://security.debian.org/dists/stable/updates/main/binary-arm/htdig_3.1.5-2.0potato.1_arm.deb

Intel ia32:

http://security.debian.org/dists/stable/updates/main/binary-i386/htdig_3.1.5-2.0potato.1_i386.deb

Motorola 680x0:

http://security.debian.org/dists/stable/updates/main/binary-m68k/htdig_3.1.5-2.0potato.1_m68k.deb

PowerPC:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/htdig_3.1.5-2.0potato.1_powerpc.deb

Sun Sparc:

http://security.debian.org/dists/stable/updates/main/binary-sparc/htdig_3.1.5-2.0potato.1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

This page is also available in the following languages:

dansk Deutsch español français 日本語 (Nihongo) Português suomi svenska

How to set the default document language