‘htDig reveals web server configuration paths’

Summary

‘Security vulnerability in htDig’s CGI implementation allows remote users to find the directory location of configuration files used by htDig. This allows remote attackers to collect important information for further attacks.
A patch is available from the vendor that solves this vulnerability.’

Credit:

‘We would like to thank Geoff Hutchison for his help in ‘defusing’ this vulnerability.’


Details

Vulnerable systems:
htDig 3.1.5 (stable release)
htDig 3.2 (beta release)

Exploit:
When requesting a URL such as:
http://www.example.com/cgi-bin/htsearch?config=aaa

The htDig engine will reply with an error saying that it could not find the configuration file ‘aaa’, but the error string includes the full directory path of the configuration file.

Patch:
Index: htsearch.cc
===================================================================
RCS file: /opt/htdig/cvs/htdig3/htsearch/htsearch.cc,v
retrieving revision 1.24.2.9
diff -c -3 -p -r1.24.2.9 htsearch.cc
*** htsearch.cc 2000/02/15 22:20:02 1.24.2.9
— htsearch.cc 2000/04/19 12:20:47
*************** main(int ac, char **av)
*** 149,156 ****
      }
      if (access(configFile, R_OK) < 0)
      {
! reportError(form(‘Unable to read configuration file ‘%s”,
! configFile.get()));
      }
      config.Read(configFile);
  
— 149,155 —-
      }
      if (access(configFile, R_OK) < 0)
      {
! reportError(‘Unable to read configuration file’);
      }
      config.Read(configFile);
  
*************** main(int ac, char **av)
*** 248,277 ****
      String word_db = config[‘word_db’];
      if (access(word_db, R_OK) < 0)
      {
! reportError(form(‘Unable to read word database file ‘%s’nDid you run htmerge?’,
! word_db.get()));
      }
      ResultList *results = htsearch(word_db, searchWords, parser);
  
      String index = config[‘doc_index’];
      if (access(index, R_OK) < 0)
      {
! reportError(form(‘Unable to read document index file ‘%s’nDid you run htmerge?’,
! index.get()));
      }
      String doc_db = config[‘doc_db’];
      if (access(doc_db, R_OK) < 0)
      {
! reportError(form(‘Unable to read document database file ‘%s’nDid you run htmerge?’,
! doc_db.get()));
      }
  
      Display display(index, doc_db);
      if (display.hasTemplateError())
        {
! reportError(form(‘Unable to read template file ‘%s’nDoes it exist?’,
!                          config[‘template_name’]));
! return 0;
        }
      display.setOriginalWords(originalWords);
      display.setResults(results);
— 247,271 —-
      String word_db = config[‘word_db’];
      if (access(word_db, R_OK) < 0)
      {
! reportError(‘Unable to read word database filenDid you run htmerge?’);
      }
      ResultList *results = htsearch(word_db, searchWords, parser);
  
      String index = config[‘doc_index’];
      if (access(index, R_OK) < 0)
      {
! reportError(‘Unable to read document index filenDid you run htmerge?’);
      }
      String doc_db = config[‘doc_db’];
      if (access(doc_db, R_OK) < 0)
      {
! reportError(‘Unable to read document database filenDid you run htmerge?’);
      }
  
      Display display(index, doc_db);
      if (display.hasTemplateError())
        {
! reportError(‘Unable to read template filenDoes it exist?’);
        }
      display.setOriginalWords(originalWords);
      display.setResults(results);’

Categories: Exploits