Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

HTTP:CGI:HTDIG-INCLUSION

Severity

Medium

Recommended

No

Category

HTTP

Keywords

ht://dig Arbitrary File Inclusion

Release Date

2003/04/22

Update Number

1213

Supported Platforms

idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: ht://dig Arbitrary File Inclusion


This signature detects attempts to exploit a vulnerability in ht://dig, a Web content search engine for UNIX. Because ht://dig improperly validates form input, attackers can pass a maliciously crafted variable to the htsearch CGI script to read files accessible to the program user.

Extended Description

ht://dig is a web content search engine for Unix platforms. The software is set up to allow for file inclusion from configuration files. Any string surrounded by the opening singlw quote character ( ` ) is taken as a path to a file for inclusion, for example: some_parameter: `var/htdig/some_file` htdig will also allow included files to be specified via form input. Therefore, any file can be specified for inclusion into a variable by any web user.

Affected Products

  • The ht://Dig Group ht://Dig 3.1.1
  • The ht://Dig Group ht://Dig 3.1.2
  • The ht://Dig Group ht://Dig 3.1.3
  • The ht://Dig Group ht://Dig 3.1.4
  • The ht://Dig Group ht://Dig 3.2.0 .0b1

References

  • BugTraq: 1026
  • CVE: CVE-2000-0208
  • URL: http://archives.neohapsis.com/archives/bugtraq/2000-02/0385.html
  • URL: http://securityfocus.com/bid/1026
  • URL: http://xforce.iss.net/static/4052.php

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out