Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln

[Klaxon <klaxon () netcabo pt>]

On 13.11.2001 16:25 zeno wrote:

>  Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver

>  If htaccess is used to password protect a directory, it is possible an
>  attacker can access data behind the password protected area by knowing
>  the name of the file he wants to view without a valid login. This also
>  works on htpasswd files in general, which are protected by the webserver
>  itself so that it cannot be readable by the web. A request like the one
>  below will gladly feed the contents of a .htpasswd file.

 Couldn't reproduce the described behavior running thttpd 2.20b on freebsd
and linux (with and without chroot)

 Requesting any file before authenticating:

"Authorization required for the URL '/bar/foo.txt/'."
"Authorization required for the URL '/bar/.htpasswd/'."
"The requested URL '/bar/duh/' was not found on this server."
    Requesting .htpasswd after basic authentication:

"The requested URL '/bar/.htpasswd/' is an authorization file, retrieving it is

 Requesting unreadable file (mode 600) before authentication:

"The requested URL '/bar/foo.txt/' resolves to a file that is not world-readabl

--
EOF