Bugtraq mailing list archives
Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln
From: Klaxon <klaxon () netcabo pt>
Date: Wed, 14 Nov 2001 02:36:23 +0000
On 13.11.2001 16:25 zeno wrote:
Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver
If htaccess is used to password protect a directory, it is possible an attacker can access data behind the password protected area by knowing the name of the file he wants to view without a valid login. This also works on htpasswd files in general, which are protected by the webserver itself so that it cannot be readable by the web. A request like the one below will gladly feed the contents of a .htpasswd file.
Couldn't reproduce the described behavior running thttpd 2.20b on freebsd and linux (with and without chroot) Requesting any file before authenticating: "Authorization required for the URL '/bar/foo.txt/'." "Authorization required for the URL '/bar/.htpasswd/'." "The requested URL '/bar/duh/' was not found on this server." Requesting .htpasswd after basic authentication: "The requested URL '/bar/.htpasswd/' is an authorization file, retrieving it is Requesting unreadable file (mode 600) before authentication: "The requested URL '/bar/foo.txt/' resolves to a file that is not world-readabl -- EOF
Current thread:
- Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln zeno (Nov 13)
- Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln Klaxon (Nov 14)