Bugtraq mailing list archives
Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln
From: zeno <bugtraq () cgisecurity net>
Date: Wed, 14 Nov 2001 18:42:21 +0000 (GMT)
It appears my initial reply wasn't to the list.
On 13.11.2001 16:25 zeno wrote:Scripts Effected: Thttpd Secure Webserver, and Mini_httpd WebserverIf htaccess is used to password protect a directory, it is possible an attacker can access data behind the password protected area by knowing the name of the file he wants to view without a valid login. This also works on htpasswd files in general, which are protected by the webserver itself so that it cannot be readable by the web. A request like the one below will gladly feed the contents of a .htpasswd file.Couldn't reproduce the described behavior running thttpd 2.20b on freebsd and linux (with and without chroot) i
This had been tested on multiple machines. The vendor was also able to reproduce this with the chroot option also. Perhaps not all are effected like previously thought. Did you download it within the last 2 weeks? He put a patch in the version on his site with no public notice.
Current thread:
- Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln zeno (Nov 13)
- Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln Klaxon (Nov 14)
- Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln zeno (Nov 14)
- Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln Ben Okopnik (Nov 14)
- Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln zeno (Nov 14)
- Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln Klaxon (Nov 14)