[UNIX] tHTTPd and Mini_HTTPd Permission Bypass Vulnerability

From: support@securiteam.com
Date: 11/14/01

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] tHTTPd and Mini_HTTPd Permission Bypass Vulnerability
Message-Id: <20011114192736.235FE138BF@mail.der-keiler.de>
Date: Wed, 14 Nov 2001 20:27:36 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  tHTTPd and Mini_HTTPd Permission Bypass Vulnerability


 <http://www.acme.com/software/thttpd/thttpd.html> tHTTPd and
<http://www.acme.com/software/mini_httpd/> Mini_HTTPd are small HTTP
server implementations. Both these products contain a security
vulnerability in the way they protect non-world readable files and
password protected files. The vulnerability would allow access to
restricted files.


The problem lies in the way the HTTP daemon handles file requests. Even if
a file is marked 403 (not world readable), or is in a directory that is
password protected, it is still possible to remotely view these files. The
tHTTPd web server is only affected when the chroot option is used, and all
versions of Mini_HTTPd web server appear to be affected.

If htaccess is used to password protect a directory, it is possible an
attacker can access data behind the password-protected area by knowing the
name of the file he wants to view without a valid login. This also works
on htpasswd files in general, which are protected by the web server itself
so that it cannot be readable by the web. A request like the one below
will gladly feed the contents of a .htpasswd file.

http://host/protected-dir/.htpasswd/ (Notice the / on the end)

The vendor has been contacted about this issue. Check the vendor webpage
for newer web server versions along with patches at the links below.
Patch information:

                                  THTTPD VENDOR PATCH BELOW THIS LINE
 <--- Insert patch here --->
 *** libhttpd.c.old Mon Nov 12 17:44:18 2001
 --- libhttpd.c Mon Nov 12 16:28:42 2001
 *** 1422,1429 ****
         struct stat sb;
         if ( stat( path, &sb ) != -1 )
 ! httpd_realloc_str( &checked, &maxchecked, strlen( path ) );
             (void) strcpy( checked, path );
             httpd_realloc_str( &rest, &maxrest, 0 );
             rest[0] = '\0';
             *restP = rest;
 --- 1447,1461 ----
         struct stat sb;
         if ( stat( path, &sb ) != -1 )
 ! checkedlen = strlen( path );
 ! httpd_realloc_str( &checked, &maxchecked, checkedlen );
             (void) strcpy( checked, path );
 + /* Trim trailing slashes. */
 + while ( checked[checkedlen - 1] == '/' )
 + {
 + checked[checkedlen - 1] = '\0';
 + --checkedlen;
 + }
             httpd_realloc_str( &rest, &maxrest, 0 );
             rest[0] = '\0';
             *restP = rest;
 <--- End of patch --->


The information has been provided by <mailto:zeno@cgisecurity.net> zeno.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages