From zeno@cgisecurity.net Wed Nov 14 00:28:14 2001 From: zeno To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com, webappsec@securityfocus.com Date: Tue, 13 Nov 2001 16:25:39 +0000 (GMT) Subject: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln Hello, The vendor has already sent out notices and the patches can be found on the vendors homepage listed below. - zeno@cgisecurity.com [ Cgi Security Advisory #6 ] admin@cgisecurity.com Thttpd and Mini_Httpd Webserver Permission Bypass Found November 2001 Public Release November 2001 Vendor Contacted November 2001 Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver Price: Free Versions: All versions appear to be effected Platforms: Freebsd, SunOs, Solaris, Linux, Other Unix Vendor: http://www.acme.com 1. Problem The problem lies in the way the httpd daemon handles file requests. If a file is marked 403(not world readable), or is in a directory that is password protected, then it is possible to remotely view these files. The thttpd webserver is only effected when the chroot option is used(Kinda ironic), and all versions of mini_httpd webserver appear to be affected. If htaccess is used to password protect a directory, it is possible an attacker can access data behind the password protected area by knowing the name of the file he wants to view without a valid login. This also works on htpasswd files in general, which are protected by the webserver itself so that it cannot be readable by the web. A request like the one below will gladly feed the contents of a .htpasswd file. http://host/protected-dir/.htpasswd/ (Notice the / on the end) 2. Fixes The vendor has been contacted about this issue. Check the vendor webpage for newer webserver versions along with patches at the links below. PATCH INFORMATION http://www.acme.com/software/thttpd/ http://www.acme.com/software/mini_httpd/ ****************************************************************************************** THTTPD VENDOR PATCH BELOW THIS LINE ****************************************************************************************** <--- Insert patch here ---> *** libhttpd.c.old Mon Nov 12 17:44:18 2001 --- libhttpd.c Mon Nov 12 16:28:42 2001 *************** *** 1422,1429 **** struct stat sb; if ( stat( path, &sb ) != -1 ) { ! httpd_realloc_str( &checked, &maxchecked, strlen( path ) ); (void) strcpy( checked, path ); httpd_realloc_str( &rest, &maxrest, 0 ); rest[0] = '\0'; *restP = rest; --- 1447,1461 ---- struct stat sb; if ( stat( path, &sb ) != -1 ) { ! checkedlen = strlen( path ); ! httpd_realloc_str( &checked, &maxchecked, checkedlen ); (void) strcpy( checked, path ); + /* Trim trailing slashes. */ + while ( checked[checkedlen - 1] == '/' ) + { + checked[checkedlen - 1] = '\0'; + --checkedlen; + } httpd_realloc_str( &rest, &maxrest, 0 ); rest[0] = '\0'; *restP = rest; <--- End of patch ---> Published to the Public November 2001 Copyright November 2001 Cgisecurity.com