3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
90 lines
3.3 KiB
Text
90 lines
3.3 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-00:06 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: htdig port allows remote reading of files
|
|
|
|
Category: ports
|
|
Module: htdig
|
|
Announced: 2000-03-01
|
|
Affects: Ports collection before the correction date.
|
|
Corrected: 2000-02-28
|
|
FreeBSD only: NO
|
|
|
|
I. Background
|
|
|
|
The ht://Dig system is a complete world wide web indexing and searching
|
|
system for a small domain or intranet.
|
|
|
|
II. Problem Description
|
|
|
|
There is a security hole in the htsearch cgi-bin program for versions of
|
|
htdig prior to 3.1.5, which allows remote users to read any file on the
|
|
local system that is accessible to the user ID running htsearch (usually
|
|
the user ID running the webserver process, user 'nobody' in the default
|
|
installation of apache).
|
|
|
|
Note that the htdig utility is not installed by default, nor is it "part
|
|
of FreeBSD" as such: it is part of the FreeBSD ports collection, which
|
|
contains over 3100 third-party applications in a ready-to-install format.
|
|
|
|
FreeBSD makes no claim about the security of these third-party
|
|
applications, although an effort is underway to provide a security audit
|
|
of the most security-critical ports.
|
|
|
|
III. Impact
|
|
|
|
If you have not chosen to install the htdig port/package, then your system
|
|
is not vulnerable. If you have, then local or remote users who can connect
|
|
to a web server which contains the htsearch cgi-bin executable can read
|
|
any file on your system which is accessible to the user running the
|
|
htsearch process (typically user nobody). It is not currently believed
|
|
that an attacker can exploit this hole to modify or delete files, but they
|
|
may be able to use the ability to read files to mount a further attack
|
|
based on other security holes they discover.
|
|
|
|
IV. Workaround
|
|
|
|
Remove the /usr/local/share/apache/cgi-bin/htsearch file, if you do not
|
|
make use of it.
|
|
|
|
V. Solution
|
|
|
|
One of the following:
|
|
|
|
1) Upgrade your entire ports collection and rebuild the htdig port.
|
|
|
|
2) Reinstall a new package obtained from:
|
|
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/textproc/htdig-3.1.5.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/textproc/htdig-3.1.5.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/textproc/htdig-3.1.5.tgz
|
|
|
|
(Note: it may be several days before the new packages appear on the FTP
|
|
site)
|
|
|
|
3) download a new port skeleton for the htdig port from:
|
|
|
|
http://www.freebsd.org/ports/
|
|
|
|
and use it to rebuild the port.
|
|
|
|
4) Use the portcheckout utility to automate option (3) above. The
|
|
portcheckout port is available in /usr/ports/devel/portcheckout or the
|
|
package can be obtained from:
|
|
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/devel/portcheckout-2.0.tgz
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBOL1um1UuHi5z0oilAQGtnwP+JsTP4KCrAO/fEIMG70a79tPsLeqUiuyP
|
|
ihPc5Rw/e6wguW8qPLXvLGSsT5zzkXLOeuww+2ViPpYehTkD4cB1zt3UsWeNSGa+
|
|
kkWQyYFwK/3BaHbsN8COu4xa5c4B+VdqbFXa3G/cIM+MRRTxlhrDWqaJp58UKpD3
|
|
OA7HcbSdSKk=
|
|
=A+Nm
|
|
-----END PGP SIGNATURE-----
|