Htdig 3.1.4 search engine allows any file on the system to be read via CGI binary htsearch. Exploit information included.
1eecacdd74cf1f2d6d72a6122781d4380abec3bf059830728e3f5f5d2e059c08
software: ht://Dig
URL: https://www.htdig.org/
Version: 3.1.4, 3.2.0b1 and previous
Platforms: Unix, Win32, MacOS, Mac OS X Server
Type: CGI, Input validation problem
Vendor status: Notified, patch already available
Date: 02/28/2000
Summary:
Any remote user can view arbitrary files on your system with the
privileges of the web user.
Vulnerability:
The CGI does not properly verify form input. Many of the form
fields are applied as configuration attributes regardless of contents. The
configuration code allows config files to include other files through the
use of backticks, e.g.:
start_url: `/var/htdig/htdig.urls`
No distinction was made between CGI input and configuration file input
and both would be expanded for variables or file includes.
Exploit:
e.g. (this no longer works)
<https://www.htdig.org/cgi-bin/htsearch?exclude=%60/etc/passwd%60>
The file will show up in the source of the resulting page in the
"exclude" field of the search form. Other variations could be applied.
Workaround:
The recent 3.1.5 release fixes this problem. For the beta release
of 3.2.0b1, users should update to the latest development snapshot,
htdig-3.2.0b2-022700 and a 3.2.0b2 release will come out shortly. A patch
is also available to update from 3.1.4 to 3.1.5.
--
-Geoff Hutchison
Williams Students Online
https://wso.williams.edu/