Bugtraq mailing list archives
Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln
From: zeno <zeno () cgisecurity net>
Date: Tue, 13 Nov 2001 16:25:39 +0000 (GMT)
Hello,
The vendor has already sent out notices and the patches can be found
on the vendors homepage listed below.
- zeno () cgisecurity com
[ Cgi Security Advisory #6 ]
admin () cgisecurity com
Thttpd and Mini_Httpd Webserver Permission Bypass
Found
November 2001
Public Release
November 2001
Vendor Contacted
November 2001
Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver
Price: Free
Versions:
All versions appear to be effected
Platforms:
Freebsd, SunOs, Solaris, Linux, Other Unix
Vendor:
http://www.acme.com
1. Problem
The problem lies in the way the httpd daemon handles file requests.
If a file is marked 403(not world readable), or is in a directory
that is password protected, then it is possible to remotely view these
files. The thttpd webserver is only effected when the chroot option is
used(Kinda ironic), and all versions of mini_httpd webserver appear to
be affected.
If htaccess is used to password protect a directory, it is possible an
attacker can access data behind the password protected area by knowing
the name of the file he wants to view without a valid login. This also
works on htpasswd files in general, which are protected by the webserver
itself so that it cannot be readable by the web. A request like the one
below will gladly feed the contents of a .htpasswd file.
http://host/protected-dir/.htpasswd/ (Notice the / on the end)
2. Fixes
The vendor has been contacted about this issue.
Check the vendor webpage for newer webserver versions
along with patches at the links below.
PATCH INFORMATION
http://www.acme.com/software/thttpd/
http://www.acme.com/software/mini_httpd/
******************************************************************************************
THTTPD VENDOR PATCH BELOW THIS LINE
******************************************************************************************
<--- Insert patch here --->
*** libhttpd.c.old Mon Nov 12 17:44:18 2001
--- libhttpd.c Mon Nov 12 16:28:42 2001
***************
*** 1422,1429 ****
struct stat sb;
if ( stat( path, &sb ) != -1 )
{
! httpd_realloc_str( &checked, &maxchecked, strlen( path ) );
(void) strcpy( checked, path );
httpd_realloc_str( &rest, &maxrest, 0 );
rest[0] = '\0';
*restP = rest;
--- 1447,1461 ----
struct stat sb;
if ( stat( path, &sb ) != -1 )
{
! checkedlen = strlen( path );
! httpd_realloc_str( &checked, &maxchecked, checkedlen );
(void) strcpy( checked, path );
+ /* Trim trailing slashes. */
+ while ( checked[checkedlen - 1] == '/' )
+ {
+ checked[checkedlen - 1] = '\0';
+ --checkedlen;
+ }
httpd_realloc_str( &rest, &maxrest, 0 );
rest[0] = '\0';
*restP = rest;
<--- End of patch --->
Published to the Public November 2001
Copyright November 2001 Cgisecurity.com
Current thread:
- Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln zeno (Nov 13)