Secunia Research: Mathopd Insecure Dump File Creation Vulnerability

====================================================================== 

                     Secunia Research 23/03/2005

       - Mathopd Insecure Dump File Creation Vulnerability -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software 

Mathopd 1.5p4
Mathopd 1.6b5 (BETA release)

NOTE: Prior versions may also be affected.

====================================================================== 
2) Severity 

Rating: Not critical 
Impact: Manipulation of data
Where:  Local System

====================================================================== 
3) Vendor's Description of Software 

"Mathopd is a very small, yet very fast HTTP server for UN*X systems."

Product Link:
http://www.mathopd.org/

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Mathopd, which can
be exploited by malicious, local users to corrupt the contents of
arbitrary files on a vulnerable system.

Dump files are created insecurely by the "internal_dump()" function
in "dump.c" when a SIGWINCH signal is caught. This can be exploited
via symlink attacks to append dump data to arbitrary files on the
system with the privileges of the user running Mathopd.

Successful exploitation requires that Mathopd is running with the
"-n" command line option, and the user running Mathopd resizes the
terminal window.

====================================================================== 
5) Solution 

Update to version 1.5p5.
http://www.mathopd.org/download.html

The vulnerability has also been fixed in the 1.6b6 BETA release.

====================================================================== 
6) Time Table 

22/03/2005 - Vendor notified.
22/03/2005 - Vendor response.
23/03/2005 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by Carsten Eiram, Secunia Research.

====================================================================== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
candidate number CAN-2005-0824 for the vulnerability.

====================================================================== 
9) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://secunia.com/secunia_security_advisories/

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-03/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================