6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.016 Low
EPSS
Percentile
87.3%
The remote CGI htsearch allows the user to supply his own configuration file using the ‘-c’ switch, as in :
/cgi-bin/htsearch?-c/some/config/file
This file is not displayed by htsearch. However, if an attacker manages to upload a configuration file to the remote server, it may make htsearch read arbitrary files on the remote host.
An attacker may also use this flaw to exhaust the resources on the remote host by specifying /dev/zero as a configuration file.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if(description)
{
script_id(10784);
script_version("1.33");
script_cve_id("CVE-2001-0834");
script_bugtraq_id(3410);
script_xref(name:"DSA", value:"080");
script_xref(name:"RHSA", value:"2001:139");
script_name(english:"ht://Dig htsearch Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote host contains a web search engine that is affected by
multiple vulnerabilities." );
script_set_attribute(attribute:"description", value:
"The remote CGI htsearch allows the user to supply his own
configuration file using the '-c' switch, as in :
/cgi-bin/htsearch?-c/some/config/file
This file is not displayed by htsearch. However, if an
attacker manages to upload a configuration file to the remote
server, it may make htsearch read arbitrary files on the remote host.
An attacker may also use this flaw to exhaust the resources on the
remote host by specifying /dev/zero as a configuration file." );
script_set_attribute(attribute:"see_also", value:"ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2001-035.0.txt" );
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f7ee9854" );
script_set_attribute(attribute:"solution", value:
"Upgrade to ht://Dig 3.1.6 or newer." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2001/10/17");
script_set_attribute(attribute:"vuln_publication_date", value: "2001/09/03");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english:"htsearch?-c/nonexistent");
script_family(english:"CGI abuses");
script_category(ACT_GATHER_INFO);
script_dependencie("find_service1.nasl", "http_version.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_copyright(english:"This script is Copyright (C) 2001-2021 Tenable Network Security, Inc.");
exit(0);
}
#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
foreach dir (cgi_dirs())
{
res = http_send_recv3(method:"GET", item:string(dir, "/htsearch?-c/nonexistent"), port:port, exit_on_fail: 1);
if("Unable to read configuration file '/nonexistent'" >< res[2])
{
security_warning(port);
exit(0);
}
}