Rule:  

--
Sid:
1602

--
Summary:
This event is generated when an attempt is made to access htsearch.

--
Impact:
Severe. Unauthorized file access is possible.

--
Detailed Information:
Some versions of htdig allow inclusions to be made from configuration files as a parameter to the htsearch function. Any file can be included by enclosing it in single quotes ('foo').

Using this vulnerability, any single quoted input string (`....`) is included as an index file by htsearch. This allows an attacker to read any file on the host.

This event is generated when an attempt is made to access the cgi script htsearch. Refer to the rules with sid 1600 and 1601 for tracking actual exploit attempts.

--
Affected Systems:
HTDig versions 3.1.1, 3.1.2, 3.1.3, 3.1.4 and 3.2.0b1

--
Attack Scenarios:
A input form with a textbox named "Exclude" and http post action handled by htsearch or a url similar to http://www.foo.com/cgi-bin/htsearch?Exclude=%60/anyfile%60 can be used to access files on your host. %60 is the single quote caracter "`".

--
Ease of Attack:
Simple. No exploit scripts required

--
False Positives:
If htdig is used as a search engine for a website, this rule will generate an event for each request for htsearch.

--
False Negatives:
None known

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Related Snort documentation contributed by Ueli Kistler, <u.kistler@engagesecurity.com>

-- 
Additional References:
Bugtraq:
http://www.securityfocus.com/bid/1026

--