Dig Config Parameter Cross-Site Scripting Vulnerability

Bugtraq ID:	12442
Class:	Input Validation Error
CVE:	CVE-2005-0085
Remote:	Yes
Local:	No
Published:	Feb 03 2005 12:00AM
Updated:	Jul 31 2006 10:21PM
Credit:	This issue was reported by SuSE.
Vulnerable:	The ht://Dig Group ht://Dig 3.2 0b6 The ht://Dig Group ht://Dig 3.2 0b5 The ht://Dig Group ht://Dig 3.2 0b4 - Debian Linux 2.1 - Debian Linux 2.0 - HP HP-UX 10.20 - HP HP-UX 9.10 - Sun Solaris 2.6 - Sun Solaris 2.5 - Sun SunOS 4.1.4 The ht://Dig Group ht://Dig 3.2 0b3 - Debian Linux 2.1 - Debian Linux 2.0 - HP HP-UX 10.20 - HP HP-UX 9.10 + HP Secure OS software for Linux 1.0 + Redhat Linux 7.2 + Redhat Linux 7.1 - Sun Solaris 2.6 - Sun Solaris 2.5 - Sun SunOS 4.1.4 The ht://Dig Group ht://Dig 3.2 0b2 - Debian Linux 2.1 - Debian Linux 2.0 - HP HP-UX 10.20 - HP HP-UX 9.10 - Sun Solaris 2.6 - Sun Solaris 2.5 - Sun SunOS 4.1.4 The ht://Dig Group ht://Dig 3.2 .0 + Mandriva Linux Mandrake 8.1 The ht://Dig Group ht://Dig 3.1.6 + Debian Linux 3.0 - Debian Linux 2.1 - Debian Linux 2.0 + Gentoo Linux - HP HP-UX 10.20 - HP HP-UX 9.10 - Sun Solaris 2.6 - Sun Solaris 2.5 - Sun SunOS 4.1.4 The ht://Dig Group ht://Dig 3.1.5 -8 + Caldera OpenLinux Server 3.1 + Caldera OpenLinux Workstation 3.1 The ht://Dig Group ht://Dig 3.1.5 -7 + Caldera OpenLinux Server 3.1 + Caldera OpenLinux Workstation 3.1 The ht://Dig Group ht://Dig 3.1.5 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 - Debian Linux 2.1 - Debian Linux 2.0 - HP HP-UX 10.20 - HP HP-UX 9.10 + Mandriva Linux Mandrake 8.0 ppc + Mandriva Linux Mandrake 8.0 + Mandriva Linux Mandrake 7.2 - Sun Solaris 2.6 - Sun Solaris 2.5 - Sun SunOS 4.1.4 SuSE Linux 8.1 SuSE Linux 8.0 i386 SuSE Linux 8.0 SCO Unixware 7.1.4 SCO Unixware 7.1.3 up SCO Unixware 7.1.3 SCO Open Server 6.0 SCO Open Server 5.0.7 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 S.u.S.E. Linux Personal 9.0 x86_64 S.u.S.E. Linux Personal 9.0 S.u.S.E. Linux Personal 8.2 Redhat Linux 9.0 i386 Redhat Linux 7.3 i686 Redhat Linux 7.3 i386 Redhat Linux 7.3 Redhat Fedora Core3 Redhat Fedora Core2 Redhat Fedora Core1 Mandriva Linux Mandrake 10.1 x86_64 Mandriva Linux Mandrake 10.1 Mandriva Linux Mandrake 10.0 AMD64 Mandriva Linux Mandrake 10.0 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 2.1 x86_64 MandrakeSoft Corporate Server 2.1
Not Vulnerable:

Dig Config Parameter Cross-Site Scripting Vulnerability

ht://Dig is reported prone to a cross-site scripting vulnerability. This issue is due to the application's failure to properly sanitize user-supplied URI data before including it in dynamically generated web-page content.

All versions of ht://Dig are considered vulnerable at the moment.

Dig Config Parameter Cross-Site Scripting Vulnerability

An exploit is not required.

Dig Config Parameter Cross-Site Scripting Vulnerability

Solution:
SuSE Linux has released a security summary report (SUSE-SR:2005:003) that contains fixes to address this and other vulnerabilities. Please see the referenced advisories for more information on obtaining and applying appropriate updates.


The ht://Dig Group ht://Dig 3.1.6

• Debian htdig-doc_3.1.6-3woody1_all.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig-doc_3.1.6-3 woody1_all.deb


• Debian htdig_3.1.6-3woody1_alpha.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig_3.1.6-3wood y1_alpha.deb


• Debian htdig_3.1.6-3woody1_arm.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig_3.1.6-3wood y1_arm.deb


• Debian htdig_3.1.6-3woody1_hppa.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig_3.1.6-3wood y1_hppa.deb


• Debian htdig_3.1.6-3woody1_i386.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig_3.1.6-3wood y1_i386.deb


• Debian htdig_3.1.6-3woody1_ia64.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig_3.1.6-3wood y1_ia64.deb


• Debian htdig_3.1.6-3woody1_m68k.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig_3.1.6-3wood y1_m68k.deb


• Debian htdig_3.1.6-3woody1_mips.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig_3.1.6-3wood y1_mips.deb


• Debian htdig_3.1.6-3woody1_mipsel.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig_3.1.6-3wood y1_mipsel.deb


• Debian htdig_3.1.6-3woody1_powerpc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig_3.1.6-3wood y1_powerpc.deb


• Debian htdig_3.1.6-3woody1_s390.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig_3.1.6-3wood y1_s390.deb


• Debian htdig_3.1.6-3woody1_sparc.deb
  Debian GNU/Linux 3.0 alias woody
  http://security.debian.org/pool/updates/main/h/htdig/htdig_3.1.6-3wood y1_sparc.deb


• SuSE htdig-3.1.6-402.4.i586.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/htdig-3.1.6-402.4 .i586.rpm


• SuSE htdig-3.1.6-402.4.x86_64.rpm
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/htdig-3.1.6-4 02.4.x86_64.rpm


• SuSE htdig-3.1.6-407.i586.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/htdig-3.1.6-407.i 586.rpm


• SuSE htdig-3.1.6-407.i586.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/htdig-3.1.6-407.i 586.rpm


• SuSE htdig-3.1.6-407.i586.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/htdig-3.1.6-407.i 586.rpm


• SuSE htdig-3.1.6-407.x86_64.rpm
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/htdig-3.1.6-4 07.x86_64.rpm

The ht://Dig Group ht://Dig 3.2 .0

• Fedora Legacy htdig-3.2.0-16.20021103.3.legacy.i386.rpm
  Red Hat Linux 9:
  http://download.fedoralegacy.org/redhat/9/updates/i386/htdig-3.2.0-16. 20021103.3.legacy.i386.rpm


• Fedora Legacy htdig-3.2.0-19.20030601.2.legacy.i386.rpm
  Red Hat Linux 9:
  http://download.fedoralegacy.org/fedora/1/updates/i386/htdig-3.2.0-19. 20030601.2.legacy.i386.rpm


• Fedora Legacy htdig-3.2.0-2.011302.3.legacy.i386.rpm
  Red Hat Linux 7.3:
  http://download.fedoralegacy.org/redhat/7.3/updates/i386/htdig-3.2.0-2 .011302.3.legacy.i386.rpm


• Fedora Legacy htdig-3.2.0b5-7.2.legacy.i386.rpm
  Fedora Core 2:
  http://download.fedoralegacy.org/fedora/2/updates/i386/htdig-3.2.0b5-7 .2.legacy.i386.rpm


• Fedora Legacy htdig-web-3.2.0-16.20021103.3.legacy.i386.rpm
  Red Hat Linux 9:
  http://download.fedoralegacy.org/redhat/9/updates/i386/htdig-web-3.2.0 -16.20021103.3.legacy.i386.rpm


• Fedora Legacy htdig-web-3.2.0-19.20030601.2.legacy.i386.rpm
  Red Hat Linux 9:
  http://download.fedoralegacy.org/fedora/1/updates/i386/htdig-web-3.2.0 -19.20030601.2.legacy.i386.rpm


• Fedora Legacy htdig-web-3.2.0-2.011302.3.legacy.i386.rpm
  Red Hat Linux 7.3:
  http://download.fedoralegacy.org/redhat/7.3/updates/i386/htdig-web-3.2 .0-2.011302.3.legacy.i386.rpm


• Fedora Legacy htdig-web-3.2.0b5-7.2.legacy.i386.rpm
  Fedora Core 2:
  http://download.fedoralegacy.org/fedora/2/updates/i386/htdig-web-3.2.0 b5-7.2.legacy.i386.rpm


• Mandrake htdig-3.2.0-0.7.1.C21mdk.i586.rpm
  Mandrake Corporate Server 2.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-3.2.0-0.7.1.C21mdk.x86_64.rpm
  Mandrake Corporate Server 2.1/x86_64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-3.2.0-0.8.1.100mdk.amd64.rpm
  Mandrake Linux 10.0/AMD64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-3.2.0-0.8.1.100mdk.i586.rpm
  Mandrake Linux 10.0
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-3.2.0-0.8.1.101mdk.i586.rpm
  Mandrake Linux 10.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-3.2.0-0.8.1.101mdk.x86_64.rpm
  Mandrake Linux 10.1/x86_64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-3.2.0-0.8.1.C30mdk.i586.rpm
  Mandrake Corporate Server 3.0
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-3.2.0-0.8.1.C30mdk.x86_64.rpm
  Mandrake Corporate Server 3.0/x86_64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-devel-3.2.0-0.7.1.C21mdk.i586.rpm
  Mandrake Corporate Server 2.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-devel-3.2.0-0.7.1.C21mdk.x86_64.rpm
  Mandrake Corporate Server 2.1/x86_64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-devel-3.2.0-0.8.1.100mdk.amd64.rpm
  Mandrake Linux 10.0/AMD64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-devel-3.2.0-0.8.1.100mdk.i586.rpm
  Mandrake Linux 10.0
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-devel-3.2.0-0.8.1.101mdk.i586.rpm
  Mandrake Linux 10.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-devel-3.2.0-0.8.1.101mdk.x86_64.rpm
  Mandrake Linux 10.1/x86_64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-devel-3.2.0-0.8.1.C30mdk.i586.rpm
  Mandrake Corporate Server 3.0
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-devel-3.2.0-0.8.1.C30mdk.x86_64.rpm
  Mandrake Corporate Server 3.0/x86_64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-web-3.2.0-0.7.1.C21mdk.i586.rpm
  Mandrake Corporate Server 2.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-web-3.2.0-0.7.1.C21mdk.x86_64.rpm
  Mandrake Corporate Server 2.1/x86_64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-web-3.2.0-0.8.1.100mdk.amd64.rpm
  Mandrake Linux 10.0/AMD64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-web-3.2.0-0.8.1.100mdk.i586.rpm
  Mandrake Linux 10.0
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-web-3.2.0-0.8.1.101mdk.i586.rpm
  Mandrake Linux 10.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-web-3.2.0-0.8.1.101mdk.x86_64.rpm
  Mandrake Linux 10.1/x86_64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-web-3.2.0-0.8.1.C30mdk.i586.rpm
  Mandrake Corporate Server 3.0
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake htdig-web-3.2.0-0.8.1.C30mdk.x86_64.rpm
  Mandrake Corporate Server 3.0/x86_64
  http://www.mandrakesecure.net/en/ftp.php

The ht://Dig Group ht://Dig 3.2 0b6

• Fedora htdig-3.2.0b6-3.FC3.1.i386.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Fedora htdig-3.2.0b6-3.FC3.1.x86_64.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Fedora htdig-debuginfo-3.2.0b6-3.FC3.1.i386.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Fedora htdig-debuginfo-3.2.0b6-3.FC3.1.x86_64.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Fedora htdig-web-3.2.0b6-3.FC3.1.i386.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• Fedora htdig-web-3.2.0b6-3.FC3.1.x86_64.rpm
  RedHat Fedora Core 3
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/


• SuSE htdig-3.2.0b6-3.2.i586.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/htdig-3.2.0b6-3.2 .i586.rpm


• SuSE htdig-3.2.0b6-3.2.x86_64.rpm
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/htdig-3.2.0b6 -3.2.x86_64.rpm

SCO Open Server 5.0.7

• SCO VOL.000.000 for SCOSA-2005.46
  ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.46/507

SCO Open Server 6.0

• SCO VOL.000.000 for SCOSA-2005.46
  ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.46/600

SCO Unixware 7.1.3

• SCO erg712807.Z
  ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.45/713

SCO Unixware 7.1.3 up

• SCO erg712807.Z
  ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.45/713

SCO Unixware 7.1.4

• SCO erg712807.Z
  ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.45/714

Dig Config Parameter Cross-Site Scripting Vulnerability

References:

• ht://Dig Homepage (ht://Dig Group)