htdig.txt

`software: ht://Dig  
URL: http://www.htdig.org/  
Version: 3.1.4, 3.2.0b1 and previous  
Platforms: Unix, Win32, MacOS, Mac OS X Server  
Type: CGI, Input validation problem  
Vendor status: Notified, patch already available  
Date: 02/28/2000  
  
Summary:  
  
Any remote user can view arbitrary files on your system with the  
privileges of the web user.  
  
Vulnerability:  
  
The CGI does not properly verify form input. Many of the form  
fields are applied as configuration attributes regardless of contents. The  
configuration code allows config files to include other files through the  
use of backticks, e.g.:  
  
start_url: `/var/htdig/htdig.urls`  
  
No distinction was made between CGI input and configuration file input  
and both would be expanded for variables or file includes.  
  
Exploit:  
  
e.g. (this no longer works)  
<http://www.htdig.org/cgi-bin/htsearch?exclude=%60/etc/passwd%60>  
  
The file will show up in the source of the resulting page in the  
"exclude" field of the search form. Other variations could be applied.  
  
Workaround:  
  
The recent 3.1.5 release fixes this problem. For the beta release  
of 3.2.0b1, users should update to the latest development snapshot,  
htdig-3.2.0b2-022700 and a 3.2.0b2 release will come out shortly. A patch  
is also available to update from 3.1.4 to 3.1.5.  
  
--  
-Geoff Hutchison  
Williams Students Online  
http://wso.williams.edu/  
  
  
`