FYI, anyone using thttpd should take note of the below and ensure they aren't vulnerable. The exploit is obvious from the fix so I won't belabour the point. ---------- Forwarded message ---------- Date: Mon, 10 Aug 1998 19:24:57 -0700 From: Jef Poskanzer <jefat_private> To: thttpdat_private Cc: Marc Slemko <marcsat_private> Subject: thttpd 2.04 released Marc Slemko discovered a fairly serious security problem in thttpd. If you're not running chrooted, an attacker can use this bug to read files outside of your document tree, for instance /etc/passwd. Obviously this warrants an immediate patch release. If you are running thttpd chrooted (i.e. you start it as root), then you are safe from this bug. Better install the fix anyway though. New in version 2.04: - The simple mmap cache added in version 2.01 is now more aggressive, improving performance when a small set of files gets fetched a while lot. - Fixed bug in filename translation. Tarchive available as usual at http://www.acme.com/software/thttpd/ If all you want is the bug fix, a patch for just that is appended. --- Jef Jef Poskanzer jefat_private http://www.acme.com/jef/ *** /tmp/,RCSt101alaP Mon Aug 10 19:09:49 1998 --- libhttpd.c Mon Aug 10 19:09:31 1998 *************** *** 975,980 **** --- 975,986 ---- (void) strcpy( rest, path ); if ( rest[restlen - 1] == '/' ) rest[--restlen] = '\0'; /* trim trailing slash */ + /* Remove any leading slashes. */ + while ( rest[0] == '/' ) + { + (void) strcpy( rest, &(rest[1]) ); + --restlen; + } r = rest; nlinks = 0;
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:10 PDT