Mandrake Linux Security Advisory : htdig (MDKSA-2001:083)
Medium Nessus Plugin ID 13896
SynopsisThe remote Mandrake Linux host is missing one or more security updates.
DescriptionA problem was discovered in the ht://Dig web indexing and searching program. Nergal reported a vulnerability in htsearch that allows a remote user to pass the -c parameter, to use a specific config file, to the htsearch program when running as a CGI. A malicious user could point to a file like /dev/zero and force the CGI to stall until it times out. Repeated attacks could result in a DoS. As well, if the user has write permission on the server and can create a file with certain entries, they can point the server to it and retrieve any file readable by the webserver UID.
SolutionUpdate the affected htdig, htdig-devel and / or htdig-web packages.