(Gentoo Issues Fix) ht://dig Input Validation Hole in 'config' Parameter Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1013175 |
|
SecurityTracker URL: http://securitytracker.com/id/1013175
|
|
CVE Reference:
CAN-2005-0085
(Links to External Site)
|
Date: Feb 14 2005
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
An input validation vulnerability was reported in ht://dig. A remote user can conduct cross-site scripting attacks.
SuSE reported that a cross-site scripting vulnerability was discovered by Michael Krax. The 'config' parameter does not properly filter HTML code from user-supplied input before displaying an error message containing the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ht://dig software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
http://[target]/cgi-bin/htsearch?config=%3Cscript%3Ealert('foo')%3C/script%3E
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ht://dig software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
Gentoo has released a fix and indicates that all ht://Dig users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-misc/htdig-3.1.6-r7"
|
Vendor URL: www.htdig.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Gentoo)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Sun, 13 Feb 2005 15:58:23 -0500
Subject: [gentoo-announce] [ GLSA 200502-16 ] ht://Dig: Cross-site scripting vulnerability
|
--V0207lvV8h4k8FAm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200502-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: ht://Dig: Cross-site scripting vulnerability
Date: February 13, 2005
Bugs: #80602
ID: 200502-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
ht://Dig is vulnerable to cross-site scripting attacks.
Background
==========
ht://Dig is an HTTP/HTML indexing and searching system.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-misc/htdig < 3.1.6-r7 >= 3.1.6-r7
Description
===========
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks.
Impact
======
By sending a carefully crafted message, an attacker can inject and
execute script code in the victim's browser window. This allows to
modify the behaviour of ht://Dig, and/or leak session information such
as cookies to the attacker.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All ht://Dig users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-misc/htdig-3.1.6-r7"
References
==========
[ 1 ] CAN-2005-0085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0085
[ 2 ] SecurityTracker #1013078
http://securitytracker.com/alerts/2005/Feb/1013078.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200502-16.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
--V0207lvV8h4k8FAm
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFCD79vRsm3eDkOu7kRAviDAJ9Twlu7DvMnQ/yaSXcxJhONy006UgCgigHD
tFmVXAlfyXhvyszdMLBF1Dg=
=ChiM
-----END PGP SIGNATURE-----
--V0207lvV8h4k8FAm--
|
|
