CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
EPSS
Percentile
87.3%
Nergal reported a vulnerability in the htsearch program which is distributed as part of the ht://Dig package, an indexing and searching system for small domains or intranets. Using former versions it was able to pass the parameter -c to the cgi program in order to use a different configuration file.
A malicious user could point htsearch to a file like/dev/zero and let the server run in an endless loop, trying to read config parameters.
If the user has write permission on the server they can point the program to it and retrieve any file readable by the webserver user id.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DSA-080. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(14917);
script_version("1.17");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");
script_cve_id("CVE-2001-0834");
script_xref(name:"DSA", value:"080");
script_name(english:"Debian DSA-080-1 : htdig - unauthorized gathering of data");
script_summary(english:"Checks dpkg output for the updated package");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"Nergal reported a vulnerability in the htsearch program which is
distributed as part of the ht://Dig package, an indexing and
searching system for small domains or intranets. Using former
versions it was able to pass the parameter -c to the cgi program in
order to use a different configuration file.
A malicious user could point htsearch to a file like/dev/zero and let
the server run in an endless loop, trying to read config parameters.
If the user has write permission on the server they can point the
program to it and retrieve any file readable by the webserver user id."
);
# http://sourceforge.net/tracker/index.php?func=detail&aid=458013&group_id=4593&atid=104593
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?8db54e57"
);
script_set_attribute(
attribute:"see_also",
value:"http://www.debian.org/security/2001/dsa-080"
);
script_set_attribute(
attribute:"solution",
value:
"Upgrade the htdig package immediately.
This problem has been fixed in version 3.1.5-2.0potato.1 for Debian
GNU/Linux 2.2."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:htdig");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
script_set_attribute(attribute:"patch_publication_date", value:"2001/10/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
script_set_attribute(attribute:"vuln_publication_date", value:"2001/09/03");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"2.2", prefix:"htdig", reference:"3.1.5-2.0potato.1")) flag++;
if (deb_check(release:"2.2", prefix:"htdig-doc", reference:"3.1.5-2.0potato.1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");