<!-- SBZ_reproduce  -->
see above url.

it is unclear whether this is a problem of htdig and/or of the templates used. 
 
I guess htdig itself. 

CAN-2004-1059 mnogosearch (as used at www.redhat.com)                            
CAN-2004-1061 htdig (as used at www.suse.de)        <<<<< this one                              
CAN-2004-1062 viewcvs (as used at cvs.apache.org)                                

To fix the bug, I need some coding help.

I do not know how our templates look yet, but I suspect they contain 
 
$&(WORDS) 
 
(& for url decode) 
 
We might need to change this to 
 
$%&(WORDS) 
 
(& for url decode, % for url encode) 

The templates just contain $(WORDS). I will change all of them to $%&(WORDS).

But this will not help when the exploit-URl is directly entered to the browsers
adress-field as in the example above - or am I wrong with this assumption?

The magic chars %& and should : 
 
& - dequote the passed url 
% - encode it again ...  
 
can you try the exploit after the template change? it should no longer work 

hmm, 
 
it is better now. however, it is somehow doubly quoting itself. 
 
can we leave it that way for our site? 

Sure. Given the fact that all www.suse.* addresses will be redirected to
novell.com within the next 2 weeks, it is ok.

And yes, the exploit doesn't work anymore. Thanks Marcus!

<!-- SBZ_reopen -->Reopened by meissner@suse.de at Wed Dec  8 18:40:18 2004

thanks frank! 
 
I have to review the htdig examples itself and perhaps release an advisory for 
our customers... so reopen for security team to further handle 

the htdig default templates use $&(WORDS), which is I guess 
the canonical correct way. 
 
anyway, with the move to novell.com this is obsolete. 
 
No action required, but I will add a note to our weekly summary. 

on second thought. no. 

CVE-2004-1061: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)