[原文]htsearch CGI program in htdig (ht://Dig) 3.1.5 and earlier allows remote attackers to use the -c option to specify an alternate configuration file, which could be used to (1) cause a denial of service (CPU consumption) by specifying a large file such as /dev/zero, or (2) read arbitrary files by uploading an alternate configuration file that specifies the target file.
It is recommended by Hewlett-Packard Company that customers download the RPMs listed in the following Red Hat Security Advisory: 2002-03-12 RHSA-2001:139 Updated htdig packages are available http://rhn.redhat.com/errata/RHSA-2001-139.html Upgrades available. ht://Dig Group ht://Dig 3.1.5 -7
ht://Dig contains a flaw that may allow a remote denial of service. The issue is triggered when passing a -c parameter to the 'htsearch.cgi' script and specify a file such as /dev/zero, which causes the script to enter an infinite loop, and will result in loss of availability for the application.
Upgrade to version 3.1.6 (stable) or 3.2.0b4 (development) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.