14th Nov 2001 [SBWID-4857]
COMMAND
Thttpd and Mini_Httpd Webserver Permission Bypass
SYSTEMS AFFECTED
All versions on Freebsd, SunOs, Solaris, Linux, Other Unix
PROBLEM
zenomorph [zeno@cgisecurity.com] published on [www.Cgisecurity.com] :
The problem lies in the way the httpd daemon handles file requests. If
a file is marked 403(not world readable), or is in a directory that is
password protected, then it is possible to remotely view these files.
The thttpd webserver is only effected when the chroot option is
used(Kinda ironic), and all versions of mini_httpd webserver appear to
be affected.
If htaccess is used to password protect a directory, it is possible an
attacker can access data behind the password protected area by knowing
the name of the file he wants to view without a valid login. This also
works on htpasswd files in general, which are protected by the
webserver itself so that it cannot be readable by the web. A request
like the one below will gladly feed the contents of a .htpasswd file.
http://host/protected-dir/.htpasswd/ (Notice the / on the end)
SOLUTION
The vendor has been contacted about this issue. Check the vendor
webpage for newer webserver versions along with patches at the links
below.
PATCH INFORMATION
http://www.acme.com/software/thttpd/
http://www.acme.com/software/mini_httpd/
******************************************************************************************
THTTPD VENDOR PATCH BELOW THIS LINE
******************************************************************************************
<--- Insert patch here --->
*** libhttpd.c.old Mon Nov 12 17:44:18 2001
--- libhttpd.c Mon Nov 12 16:28:42 2001
***************
*** 1422,1429 ****
struct stat sb;
if ( stat( path, &sb ) != -1 )
{
! httpd_realloc_str( &checked, &maxchecked, strlen( path ) );
(void) strcpy( checked, path );
httpd_realloc_str( &rest, &maxrest, 0 );
rest[0] = \'\\0\';
*restP = rest;
--- 1447,1461 ----
struct stat sb;
if ( stat( path, &sb ) != -1 )
{
! checkedlen = strlen( path );
! httpd_realloc_str( &checked, &maxchecked, checkedlen );
(void) strcpy( checked, path );
+ /* Trim trailing slashes. */
+ while ( checked[checkedlen - 1] == \'/\' )
+ {
+ checked[checkedlen - 1] = \'\\0\';
+ --checkedlen;
+ }
httpd_realloc_str( &rest, &maxrest, 0 );
rest[0] = \'\\0\';
*restP = rest;
<--- End of patch --->
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
