Conectiva Local Security Checks : Conectiva Security Advisory CLA-2001:429

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.51586

Kategorie: Conectiva Local Security Checks

Titel: Conectiva Security Advisory CLA-2001:429

Zusammenfassung: NOSUMMARY

Beschreibung: Description:

The remote host is missing updates announced in
advisory CLA-2001:429.

The ht://Dig system is a complete world wide web indexing and
searching system for a small domain or intranet. The htsearch
program is the component used for queries and can be used with
a web server using a cgi interface.

Nergal reported[1] a vulnerability in
htsearch wich allows a remote user to pass the -c parameter (use
specific config file) to the program even when it's running as a
cgi. A malicious user could point to a file like /dev/zero and let
the server run in an endless loop, trying to read config
parameters from there. Also, if the user has write permission on
the server and can create a file with specific entries, he/she can
point the server to it and retrive any file readable by the
webserver UID.

Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'

http://sourceforge.net/tracker/index.php?func=detail&aid=458013&group_id=4593&
http://www.securityspace.com/smysecure/catid.html?in=CLA-2001:429
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002001

Risk factor : High

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.51586
Kategorie:	Conectiva Local Security Checks
Titel:	Conectiva Security Advisory CLA-2001:429
Zusammenfassung:	NOSUMMARY
Beschreibung:	Description: The remote host is missing updates announced in advisory CLA-2001:429. The ht://Dig system is a complete world wide web indexing and searching system for a small domain or intranet. The htsearch program is the component used for queries and can be used with a web server using a cgi interface. Nergal reported[1] a vulnerability in htsearch wich allows a remote user to pass the -c parameter (use specific config file) to the program even when it's running as a cgi. A malicious user could point to a file like /dev/zero and let the server run in an endless loop, trying to read config parameters from there. Also, if the user has write permission on the server and can create a file with specific entries, he/she can point the server to it and retrive any file readable by the webserver UID. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://sourceforge.net/tracker/index.php?func=detail&aid=458013&group_id=4593& http://www.securityspace.com/smysecure/catid.html?in=CLA-2001:429 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002001 Risk factor : High
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com