COMMAND

    htdig

SYSTEMS AFFECTED

    Unix, Win32, MacOS, Mac OS X Server with htdig 3.1.4, 3.2.0b1 and previous

PROBLEM

    Geoff  Hutchison  found  following.   Any  remote  user  can  view
    arbitrary files  on your  system with  the privileges  of the  web
    user.  The CGI does not  properly verify form input.  Many  of the
    form fields are applied as configuration attributes regardless  of
    contents.  The configuration  code allows config files  to include
    other files through the use of backticks, e.g.:

        start_url:  `/var/htdig/htdig.urls`

    No distinction was made  between CGI input and  configuration file
    input and both would be  expanded for variables or file  includes.
    Exploit (this no longer works):

        http://www.htdig.org/cgi-bin/htsearch?exclude=%60/etc/passwd%60

    The file will show up in  the source of the resulting page  in the
    "exclude"  field  of  the  search  form. Other variations could be
    applied.

SOLUTION

    The recent 3.1.5 release fixes this problem.  For the beta release
    of  3.2.0b1,  users  should  update  to  the  latest   development
    snapshot, htdig-3.2.0b2-022700 and a 3.2.0b2 release will come out
    shortly.  A patch is also available to update from 3.1.4 to 3.1.5.

    For FreeBSD solution is one of the following:

        1) Upgrade your entire ports collection and rebuild the  htdig
           port
        2) Reinstall a new package obtained from:
             ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/textproc/htdig-3.1.5.tgz
             ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/textproc/htdig-3.1.5.tgz
             ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/textproc/htdig-3.1.5.tgz
        3) download a new port skeleton for the htdig port from:
             http://www.freebsd.org/ports/
        4) Use the portcheckout utility to automate option (3)  above.
           The     portcheckout     port      is     available      in
           /usr/ports/devel/portcheckout  or   the  package   can   be
           obtained from:
             ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
             ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/devel/portcheckout-2.0.tgz
             ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/devel/portcheckout-2.0.tgz

    For Debian solutio is:

        http://security.debian.org/dists/stable/updates/source/htdig_3.1.5-0.1.diff.gz
        http://security.debian.org/dists/stable/updates/source/htdig_3.1.5-0.1.dsc
        http://security.debian.org/dists/stable/updates/source/htdig_3.1.5.orig.tar.gz

        http://security.debian.org/dists/stable/updates/binary-alpha/htdig_3.1.5-0.1_alpha.deb

        http://security.debian.org/dists/stable/updates/binary-i386/htdig_3.1.5-0.1_i386.deb

        http://security.debian.org/dists/stable/updates/binary-m68k/htdig_3.1.5-0.1_m68k.deb

        http://security.debian.org/dists/stable/updates/binary-sparc/htdig_3.1.5-0.1_sparc.deb