htdig: SECURITY: Announcement of 3.1.0b4


Geoff Hutchison (ghutchis@wso.williams.edu)
Fri, 1 Jan 1999 01:39:09 -0500 (EST)


I didn't get a chance to announce version 3.1.0b4 over the "holiday
break." Basically the changes include fixes for memory leaks in htnotify
and htsearch (that "20x performance decrease") and a BIG SECURITY HOLE in
htnotify.

Let me make this very clear: if you use htnotify, either upgrade to
3.1.0b4
or don't use htnotify. Period.

The hole allows malicious users to execute commands running as the same
user as that running htnotify. This occurs when htnotify runs in to a
webpage with a malicious tag. It does not occur when using htdig,
htmerge, htfuzzy, or htsearch.

I do not know of any cases where this hole has been used. It is present in
all of the 3.1.0bX versions up to 3.1.0b4. It may be present, though to a
lesser degree, in previous versions.

-Geoff Hutchison
Williams Students Online
http://wso.williams.edu/

----------------------------------------------------------------------
To unsubscribe from the htdig mailing list, send a message to
htdig-request@sdsu.edu containing the single word "unsubscribe" in
the body of the message.



This archive was generated by hypermail 2.0b3 on Sat Jan 02 1999 - 16:29:57 PST