ht://Dig Search Engine Bug Lets Remote Users Determine the Configuration File Directory Path - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > ht//Dig

Vendors: ht//Dig Group

ht://Dig Search Engine Bug Lets Remote Users Determine the Configuration File Directory Path

SecurityTracker Alert ID: 1003913

SecurityTracker URL: http://securitytracker.com/id/1003913

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Mar 28 2002

Impact: Disclosure of system information

Version(s): 3.1.5-8 and prior

Description: A vulnerability has been reported in the ht://Dig search engine software. A remote user can view the full path of the configuration file directory.

SecurityFocus reported a vulnerability in ht://Dig. According to the report, a remote user can execute the htsearch component of ht://Dig with bogus data supplied in the 'config' variable to cause ht://Dig to return the full path of the configuration file directory.

Furthermore, it is reported that a remote user can cause arbitrary files to be used as the configuration file by specifying the contents of the 'config' variable.

This vulnerability discovery is credited to Craig Davison <cdavison@securityfocus.com>.

Impact: A remote user can determine the full path of the configuration file directory.

Solution: No solution was available at the time of this entry.

Vendor URL: www.htdig.org/ (Links to External Site)

Cause: Exception handling error

Underlying OS: Linux (Any), UNIX (Any)

Message History: None.

Source Message Contents

Date: Thu, 28 Mar 2002 13:22:44 -0500
Subject: ht://Dig Configuration File Path Disclosure Vulnerability


SecurityFocus reported a vulnerability in ht://Dig, a search engine for
UNIX and Linux systems.

According to the report, a remote user can execute the htsearch
component of ht://Dig with bogus data supplied in the 'config' variable,
ht://Dig will return the full path of the configuration file directory. 
Furthermore, it is reported that a remote user can cause arbitrary files
to be used as the configuration file by specifying the contents of the
'config' variable.

This vulnerability discovery is credited to Craig Davison
<cdavison@securityfocus.com>.

Versions:  3.1.5-8 and prior

http://www.htdig.org

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC