====================================================================== Secunia Research 23/03/2005 - Mathopd Insecure Dump File Creation Vulnerability - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software Mathopd 1.5p4 Mathopd 1.6b5 (BETA release) NOTE: Prior versions may also be affected. ====================================================================== 2) Severity Rating: Not critical Impact: Manipulation of data Where: Local System ====================================================================== 3) Vendor's Description of Software "Mathopd is a very small, yet very fast HTTP server for UN*X systems." Product Link: http://www.mathopd.org/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Mathopd, which can be exploited by malicious, local users to corrupt the contents of arbitrary files on a vulnerable system. Dump files are created insecurely by the "internal_dump()" function in "dump.c" when a SIGWINCH signal is caught. This can be exploited via symlink attacks to append dump data to arbitrary files on the system with the privileges of the user running Mathopd. Successful exploitation requires that Mathopd is running with the "-n" command line option, and the user running Mathopd resizes the terminal window. ====================================================================== 5) Solution Update to version 1.5p5. http://www.mathopd.org/download.html The vulnerability has also been fixed in the 1.6b6 BETA release. ====================================================================== 6) Time Table 22/03/2005 - Vendor notified. 22/03/2005 - Vendor response. 23/03/2005 - Public disclosure. ====================================================================== 7) Credits Discovered by Carsten Eiram, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned candidate number CAN-2005-0824 for the vulnerability. ====================================================================== 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: https://www.flexera.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: https://www.flexera.com/secunia_security_advisories/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: https://www.flexera.com/about-us/secunia-research/advisories/sr-2005-3.html Complete list of vulnerability reports published by Secunia Research: https://www.flexera.com/about-us/secunia-research/advisories/ ======================================================================