======================================================================
Secunia Research 23/03/2005
- Mathopd Insecure Dump File Creation Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
Mathopd 1.5p4
Mathopd 1.6b5 (BETA release)
NOTE: Prior versions may also be affected.
======================================================================
2) Severity
Rating: Not critical
Impact: Manipulation of data
Where: Local System
======================================================================
3) Vendor's Description of Software
"Mathopd is a very small, yet very fast HTTP server for UN*X systems."
Product Link:
http://www.mathopd.org/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Mathopd, which can
be exploited by malicious, local users to corrupt the contents of
arbitrary files on a vulnerable system.
Dump files are created insecurely by the "internal_dump()" function
in "dump.c" when a SIGWINCH signal is caught. This can be exploited
via symlink attacks to append dump data to arbitrary files on the
system with the privileges of the user running Mathopd.
Successful exploitation requires that Mathopd is running with the
"-n" command line option, and the user running Mathopd resizes the
terminal window.
======================================================================
5) Solution
Update to version 1.5p5.
http://www.mathopd.org/download.html
The vulnerability has also been fixed in the 1.6b6 BETA release.
======================================================================
6) Time Table
22/03/2005 - Vendor notified.
22/03/2005 - Vendor response.
23/03/2005 - Public disclosure.
======================================================================
7) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
candidate number CAN-2005-0824 for the vulnerability.
======================================================================
9) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
https://www.flexera.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
https://www.flexera.com/secunia_security_advisories/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
https://www.flexera.com/about-us/secunia-research/advisories/sr-2005-3.html
Complete list of vulnerability reports published by Secunia Research:
https://www.flexera.com/about-us/secunia-research/advisories/
======================================================================