Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln

From: zeno (zenoat_private)
Date: Tue Nov 13 2001 - 08:25:39 PST

Next message: Marc Slemko: "RE: .NET Passport: WALLET SERVICE"

Previous message: http-equivat_private: "RE: .NET Passport: WALLET SERVICE"
Next in thread: zeno: "Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 Hello,
 
 The vendor has already sent out notices and the patches can be found
 on the vendors homepage listed below.
 
 - zenoat_private
 
 
                                    [ Cgi Security Advisory #6 ]
                                      adminat_private
                          Thttpd and Mini_Httpd Webserver Permission Bypass
 
 
 
 Found
 November 2001
 
 Public Release
 November 2001
 
 Vendor Contacted
 November 2001
 
 Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver
 Price: Free
 
 
 Versions:
 All versions appear to be effected
 
 Platforms:
 Freebsd, SunOs, Solaris, Linux, Other Unix
 
 
 Vendor:
 http://www.acme.com
 
 
 1. Problem
 
 The problem lies in the way the httpd daemon handles file requests.
 If a file is marked 403(not world readable), or is in a directory 
 that is password protected, then it is possible to remotely view these 
 files. The thttpd webserver is only effected when the chroot option is 
 used(Kinda ironic), and all versions of mini_httpd webserver appear to 
 be affected.
 
 
 If htaccess is used to password protect a directory, it is possible an 
 attacker can access data behind the password protected area by knowing 
 the name of the file he wants to view without a valid login. This also 
 works on htpasswd files in general, which are protected by the webserver
 itself so that it cannot be readable by the web. A request like the one
 below will gladly feed the contents of a .htpasswd file.
 
 http://host/protected-dir/.htpasswd/ (Notice the / on the end)
 
 
 
 2. Fixes
 
 The vendor has been contacted about this issue.
 Check the vendor webpage for newer webserver versions
 along with patches at the links below.
 
 PATCH INFORMATION
 http://www.acme.com/software/thttpd/
 http://www.acme.com/software/mini_httpd/
 
 
 
 ******************************************************************************************
                                  THTTPD VENDOR PATCH BELOW THIS LINE
 ******************************************************************************************
 
 <--- Insert patch here --->
 
 *** libhttpd.c.old      Mon Nov 12 17:44:18 2001
 --- libhttpd.c  Mon Nov 12 16:28:42 2001
 ***************
 *** 1422,1429 ****
         struct stat sb;
         if ( stat( path, &sb ) != -1 )
             {
 !           httpd_realloc_str( &checked, &maxchecked, strlen( path ) );
             (void) strcpy( checked, path );
             httpd_realloc_str( &rest, &maxrest, 0 );
             rest[0] = '\0';
             *restP = rest;
 --- 1447,1461 ----
         struct stat sb;
         if ( stat( path, &sb ) != -1 )
             {
 !           checkedlen = strlen( path );
 !           httpd_realloc_str( &checked, &maxchecked, checkedlen );
             (void) strcpy( checked, path );
 +           /* Trim trailing slashes. */
 +           while ( checked[checkedlen - 1] == '/' )
 +               {
 +               checked[checkedlen - 1] = '\0';
 +               --checkedlen;
 +               }
             httpd_realloc_str( &rest, &maxrest, 0 );
             rest[0] = '\0';
             *restP = rest;
 
 
 <--- End of patch --->
 
 Published to the Public November 2001
 Copyright November 2001 Cgisecurity.com

Next message: Marc Slemko: "RE: .NET Passport: WALLET SERVICE"
Previous message: http-equivat_private: "RE: .NET Passport: WALLET SERVICE"
Next in thread: zeno: "Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 14:08:43 PST