Date: Mon, 26 Jan 1998 18:49:37 -0600
From: Dennis Moore <rainking@FEEDING.FRENZY.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in htmlscript

Htmlscript (www.htmlscript.com) has a vulnerability in it which allows you
to access system files, presumably any file the web server user can access.
I don't have the source or even a copy of the program itself, so I can't
say whether this is a configuration problem or not.  However, the fact that
the site which distributes the software is vulnerable is not promising.

According to its website, Miva (htmlscript 3.0) "is an HTML based web
development language which provides the power of scripting via new,
easy-to-use tags."

The exploit:
http://www.vulnerable.server.com/cgi-bin/htmlscript?../../../../etc/passwd

I suppose the number of ..s will depend on the location of the cgi program.
I glanced through their configuration file and it has a variable called
'htmlscriptroot' in it.  Since you would apparently get an error if this
were not set, I don't think setting it resolves the problem.

I did not discover this exploit, and I have no previous experience with
htmlscript.  The individual who reported it to me wishes to remain
anonymous.  They confirmed the problem on at least one other server using
the cgi.  Please do not email me about this problem.

--
pity this busy monster, manunkind,         |    Dennis  Moore    |       Sarah
not. Progress is a comfortable disease.    | rainking@frenzy.com |   McLachlan
   -e.e. cummings: One Times One           |  archon on the irc  |     "Black"
If I cried me a river of all my confessions would I drown in my shallow regret?