mailing list archives
Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln
From: Ben Okopnik <fuzzybear () pocketmail com>
Date: Wed, 14 Nov 2001 20:27:42 -0500
On Wed, Nov 14, 2001 at 06:42:21PM +0000, zeno wrote:
On 13.11.2001 16:25 zeno wrote:
Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver
If htaccess is used to password protect a directory, it is possible an
attacker can access data behind the password protected area by knowing
the name of the file he wants to view without a valid login. This also
works on htpasswd files in general, which are protected by the webserver
itself so that it cannot be readable by the web. A request like the one
below will gladly feed the contents of a .htpasswd file.
Couldn't reproduce the described behavior running thttpd 2.20b on freebsd
and linux (with and without chroot)
This had been tested on multiple machines. The vendor was also able to reproduce this
with the chroot option also. Perhaps not all are effected like previously thought.
Did you download it within the last 2 weeks? He put a patch in the version on his site
with no public notice.
Can't reproduce it on Debian Linux (woody), 2.2.19 kernel, thttpd-2.20b.
Originally downloaded in early August; size comparison and a CRC32 of the
original package against the one at the vendor's site show no differences.
Access to power must be confined to those who are not in love with it.