Security Bug Found in ht://Dig htsearch CGI (DoS, File Exposure)
14 Oct. 2001
The ht://Dig system is a complete indexing and searching system for a domain or Intranet. A security vulnerability in the product allows attackers to either cause the program to stop responding, or to cause it to reveal the content of sensitive files.
htDig version 3.1.0b2 and more recent, including 3.1.5 and 3.2.0b3
htDig version 3.1.6 or 3.2.0b4
The htsearch CGI runs as both the CGI and as a command-line program. The command-line program accepts the -c [filename] to read in an alternate configuration file. On the other hand, no filtering is done to stop the CGI program from taking command-line arguments, so a remote user can force the CGI to stall until it times out (resulting in a DoS) or read in a different configuration file.
For a remote exposure, a specified configuration file would need to be readable via the web server UID, e.g. via anonymous FTP with upload enabled or samba world-readable log files are the possible targets) to potentially retrieve files readable by the web server UID.