-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:67 Security Advisory FreeBSD, Inc. Topic: htdig configuration file vulnerability Category: ports Module: htdig Announced: 2001-12-17 Credits: Rafal Wojtczuk Affects: Ports collection prior to the correction date Corrected: 2001-09-25 07:08:47 2001 UTC FreeBSD only: NO I. Background htsearch is a part of htdig. The htdig system is a complete World Wide Web indexing and searching system. II. Problem Description htsearch can be run either remotely as a CGI or from the command line. htsearch supports several options for use from the command line, such as an option specifying a configuration file that it should use. However, these options are not limited to use via the command line. When run as a CGI script, htsearch still honors these options, which may be passed as part of the URL. As a result, a remote attacker can request that htsearch use any file that the webserver has sufficient privilege to read as a configuration file. The htsearch port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A remote attacker may use htsearch as a kind of denial-of-service attack by causing it to read a never-ending special file such as `/dev/null'. More seriously, if the attacker has a local account or can otherwise create a file on the target system (such as via anonymous FTP upload or Samba), then he can remotely read any file on the target system for which the webserver has sufficient privilege. IV. Workaround 1) Deinstall the htdig port/package if you have it installed. V. Solution 1) Upgrade your entire ports collection and rebuild the htdig port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/textproc/htdig-3.1.5_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/textproc/htdig-3.1.5_1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the htdig port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/textproc/htdig/Makefile 1.20 ports/textproc/htdig/file/patch-htsearch_cc 1.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Comment: http://www.nectar.cc/pgp iQCVAwUBPB4x3FUuHi5z0oilAQHsFgP/XYz0xj2mb7RjsKxkrM0Ymtur3CJAWjc/ 2lNGjTWMCg46PFX+wlLkd5O37Ryr6wPALamLJu30WmYNgIMPU64vlTrqXVzgPgwv ZZP3xv8qKTNrZwo40QYxTgeWF2dxIHAztrcD25CEUvrgPTAs0ZjwLKoVxM3sCqyl Fr2A/AN+JWw= =oZgk -----END PGP SIGNATURE-----