TUCoPS :: Web :: Servers :: web4857.htm

Thttpd and Mini_Httpd Webserver Permission Bypass
14th Nov 2001 [SBWID-4857]
COMMAND

	Thttpd and Mini_Httpd Webserver Permission Bypass

SYSTEMS AFFECTED

	All versions on Freebsd, SunOs, Solaris, Linux, Other Unix

PROBLEM

	zenomorph [zeno@cgisecurity.com] published on [www.Cgisecurity.com] :
	

	The problem lies in the way the httpd daemon handles file  requests.  If
	a file is marked 403(not world readable), or is in a directory  that  is
	password protected, then it is possible to remotely  view  these  files.
	The thttpd  webserver  is  only  effected  when  the  chroot  option  is
	used(Kinda ironic), and all versions of mini_httpd webserver  appear  to
	be affected.
	 

	If htaccess is used to password protect a directory, it is  possible  an
	attacker can access data behind the password protected area  by  knowing
	the name of the file he wants to view without a valid login.  This  also
	works  on  htpasswd  files  in  general,  which  are  protected  by  the
	webserver itself so that it cannot be readable by  the  web.  A  request
	like the one below will gladly feed the contents of a .htpasswd file.
	  

	http://host/protected-dir/.htpasswd/ (Notice the / on the end)

	

SOLUTION

	The vendor has  been  contacted  about  this  issue.  Check  the  vendor
	webpage for newer webserver versions along with  patches  at  the  links
	below.
	 

	PATCH INFORMATION
	 

	http://www.acme.com/software/thttpd/

	http://www.acme.com/software/mini_httpd/

	 

	  ******************************************************************************************

	                                  THTTPD VENDOR PATCH BELOW THIS LINE

	 ******************************************************************************************

	 

	 <--- Insert patch here --->

	 

	 *** libhttpd.c.old      Mon Nov 12 17:44:18 2001

	 --- libhttpd.c  Mon Nov 12 16:28:42 2001

	 ***************

	 *** 1422,1429 ****

	         struct stat sb;

	         if ( stat( path, &sb ) != -1 )

	             {

	 !           httpd_realloc_str( &checked, &maxchecked, strlen( path ) );

	             (void) strcpy( checked, path );

	             httpd_realloc_str( &rest, &maxrest, 0 );

	             rest[0] = \'\\0\';

	             *restP = rest;

	 --- 1447,1461 ----

	         struct stat sb;

	         if ( stat( path, &sb ) != -1 )

	             {

	 !           checkedlen = strlen( path );

	 !           httpd_realloc_str( &checked, &maxchecked, checkedlen );

	             (void) strcpy( checked, path );

	 +           /* Trim trailing slashes. */

	 +           while ( checked[checkedlen - 1] == \'/\' )

	 +               {

	 +               checked[checkedlen - 1] = \'\\0\';

	 +               --checkedlen;

	 +               }

	             httpd_realloc_str( &rest, &maxrest, 0 );

	             rest[0] = \'\\0\';

	             *restP = rest;

	 

	 

	 <--- End of patch --->

	 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH