ht://Dig Remote Denial of Service/File Disclosure Vulnerability

ht://Dig is freely available, open-source web search engine and indexing software.

ht://Dig is usable via the web interface or from the command line. It may be possible for a remote attacker to cause a denial of service or under certain circumstances display arbitrary web-readable files. This is due to the fact that it is possible to use command line arguments from the web interface. In particular, the -c [filename] argument is normally used to specify an alternate configuration file. Using the web interface to request /dev/zero may cause a denial of service by exhausting resources on the host. A request for a web-readable file may cause it to be disclosed.

Sensitive information contained in disclosed web-readable files may be used to mount further attacks on the host.


Privacy Statement
Copyright 2010, SecurityFocus