| VID |
21472 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The ht://Dig htsearch CGI, according to its version number, has a cross-site scripting vulnerability(2). ht://Dig is a freely available, open source search engine software. ht://Dig versions 3.2.0b6 and earlier are vulnerable to a cross-site scripting attack, caused by improper handling of user-supplied input in the 'config' variable of the htsearch.cgi script. This could allow a remote attacker to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server.
* Note: This check solely relied on the version number of the ht://Dig htsearch CGI installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.securitytracker.com/alerts/2005/Feb/1013078.html
* Platforms Affected:
ht://Dig versions 3.2.0b6 and earlier
Linux Any version
Unix Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to the fixed version of ht://Dig (3.2.0b7 or later), when new fixed version becomes available from the ht://Dig Web site at http://www.htdig.org/ |
| Related URL |
CVE-2005-0085 (CVE) |
| Related URL |
12442 (SecurityFocus) |
| Related URL |
19223 (ISS) |
|
