GEN:SID 1:1602
Message WEB-CGI htsearch access
Summary This event is generated when an attempt is made to access htsearch.
Impact Severe. Unauthorized file access is possible.
Detailed Information Some versions of htdig allow inclusions to be made from configuration files as a parameter to the htsearch function. Any file can be included by enclosing it in single quotes ('foo').

Using this vulnerability, any single quoted input string (`....`) is included as an index file by htsearch. This allows an attacker to read any file on the host.

This event is generated when an attempt is made to access the cgi script htsearch. Refer to the rules with sid 1600 and 1601 for tracking actual exploit attempts.
Affected Systems HTDig versions 3.1.1, 3.1.2, 3.1.3, 3.1.4 and 3.2.0b1
Attack Scenarios A input form with a textbox named "Exclude" and http post action handled by htsearch or a url similar to http://www.foo.com/cgi-bin/htsearch?Exclude=%60/anyfile%60 can be used to access files on your host. %60 is the single quote caracter "`".
Ease of Attack Simple. No exploit scripts required
Corrective Action Upgrade to the latest non-affected version of the software.
Additional References Bugtraq:
http://www.securityfocus.com/bid/1026
Rule References bugtraq: 1026
cve: 2000-0208
nessus: 10105