header-logo
Suggest Exploit
vendor:
ht://dig
by:
5.5
CVSS
MEDIUM
Arbitrary File Inclusion
CWE
Product Name: ht://dig
Affected Version From:
Affected Version To:
Patch Exists:
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Unix

ht://dig Arbitrary File Inclusion

The ht://dig web content search engine for Unix platforms allows for file inclusion from configuration files. An attacker can specify any file for inclusion into a variable, leading to arbitrary file inclusion vulnerabilities.

Mitigation:

Ensure proper input validation and sanitization to prevent arbitrary file inclusion vulnerabilities. Limit access to sensitive files.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1026/info

ht://dig is a web content search engine for Unix platforms. The software is set up to allow for file inclusion from configuration files. Any string surrounded by the opening singlw quote character ( ` ) is taken as a path to a file for inclusion, for example:
some_parameter:	`var/htdig/some_file`

htdig will also allow included files to be specified via form input. Therefore, any file can be specified for inclusion into a variable by any web user.

The URL:
http ://target/cgi-bin/htsearch?Exclude=%60/etc/passwd%60
will return a page with the contents of /etc/passwd in the 'exclude' field.

Navigation

Suggest Exploit

Services By CQR

cqrsecured