Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln

From: zeno (bugtraqat_private)
Date: Wed Nov 14 2001 - 10:42:21 PST

  • Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Multiple Vulnerabilities in Access Control List Implementation for Cisco 12000 Series Internet Router" 

    It appears my initial reply wasn't to the list.

> 
> On 13.11.2001 16:25 zeno wrote:
> 
> >  Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver
> 
> >  If htaccess is used to password protect a directory, it is possible an
> >  attacker can access data behind the password protected area by knowing
> >  the name of the file he wants to view without a valid login. This also
> >  works on htpasswd files in general, which are protected by the webserver
> >  itself so that it cannot be readable by the web. A request like the one
> >  below will gladly feed the contents of a .htpasswd file.
> 
>   Couldn't reproduce the described behavior running thttpd 2.20b on freebsd
> and linux (with and without chroot)
>i

This had been tested on multiple machines. The vendor was also able to reproduce this
with the chroot option also. Perhaps not all are effected like previously thought.

Did you download it within the last 2 weeks? He put a patch in the version on his site
with no public notice.

    This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 14:47:12 PST