Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln
From: Ben Okopnik <fuzzybear () pocketmail com>
Date: Wed, 14 Nov 2001 20:27:42 -0500

On Wed, Nov 14, 2001 at 06:42:21PM +0000, zeno wrote:
On 13.11.2001 16:25 zeno wrote:

 Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver

 If htaccess is used to password protect a directory, it is possible an
 attacker can access data behind the password protected area by knowing
 the name of the file he wants to view without a valid login. This also
 works on htpasswd files in general, which are protected by the webserver
 itself so that it cannot be readable by the web. A request like the one
 below will gladly feed the contents of a .htpasswd file.

  Couldn't reproduce the described behavior running thttpd 2.20b on freebsd
and linux (with and without chroot)

This had been tested on multiple machines. The vendor was also able to reproduce this
with the chroot option also. Perhaps not all are effected like previously thought.

Did you download it within the last 2 weeks? He put a patch in the version on his site
with no public notice.
Can't reproduce it on Debian Linux (woody), 2.2.19 kernel, thttpd-2.20b.
Originally downloaded in early August; size comparison and a CRC32 of the
original package against the one at the vendor's site show no differences.

Ben Okopnik
Access to power must be confined to those who are not in love with it.
 -- Plato

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]