ht://Dig remote information exposure

[ghutchis () WSO WILLIAMS EDU (Geoff Hutchison)]

Software:       ht://Dig
URL:            http://www.htdig.org/
Version:        3.1.4, 3.2.0b1 and previous
Platforms:      Unix, Win32, MacOS, Mac OS X Server
Type:           CGI, Input validation problem
Vendor status:  Notified, patch already available
Date:           02/28/2000

Summary:

        Any remote user can view arbitrary files on your system with the
privileges of the web user.

Vulnerability:

        The CGI does not properly verify form input. Many of the form
fields are applied as configuration attributes regardless of contents. The
configuration code allows config files to include other files through the
use of backticks, e.g.:

start_url:      `/var/htdig/htdig.urls`

No distinction was made between CGI input and configuration file input
and both would be expanded for variables or file includes.

Exploit:

e.g. (this no longer works)
<http://www.htdig.org/cgi-bin/htsearch?exclude=%60/etc/passwd%60>

        The file will show up in the source of the resulting page in the
"exclude" field of the search form. Other variations could be applied.

Workaround:

        The recent 3.1.5 release fixes this problem. For the beta release
of 3.2.0b1, users should update to the latest development snapshot,
htdig-3.2.0b2-022700 and a 3.2.0b2 release will come out shortly. A patch
is also available to update from 3.1.4 to 3.1.5.

--
-Geoff Hutchison
Williams Students Online
http://wso.williams.edu/