[htdig] [SECURITY] Security hole in htsearch

Subject: [htdig] [SECURITY] Security hole in htsearch
From: Geoff Hutchison (ghutchis@wso.williams.edu)
Date: Fri Feb 25 2000 - 11:40:17 PST


I'm sending this message out essentially twice. The contents are
included in the 3.1.5 release notes, but I wanted to make sure
everyone got the message. There is a security hole in all versions of
htsearch prior to version 3.1.5 (just released).

This hole can allow remote users to read any file on your system that
the UID running your webserver can read.

It is *strongly* recommended that you upgrade to 3.1.5 ASAP. Anyone
upgrading from a 3.1.x stable release will find the process fairly
painless and to fix the hole, they can simply drop in the new CGI.
The databases themselves are not affected.

Anyone using version 3.2.0b1 is suggested to upgrade to the latest
development snapshot. The next beta version, 3.2.0b2, will be
released shortly to address this issue and other bugs.

More detailed information will be posted to the BugTraq mailing list
in a few days.

-Geoff Hutchison
Williams Students Online

To unsubscribe from the htdig mailing list, send a message to
You will receive a message to confirm this.

This archive was generated by hypermail 2b28 : Fri Feb 25 2000 - 11:45:09 PST