Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln

From: Klaxon (klaxon@netcabo.pt)
Date: 11/14/01

• Previous message: 3APA3A: "more RADIUS authentication attack scenarios"
• In reply to: zeno: "Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln"
• Next in thread: zeno: "Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln"
• Reply: zeno: "Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 14 Nov 2001 02:36:23 +0000
From: Klaxon <klaxon@netcabo.pt>
To: zeno <zeno@cgisecurity.net>
Subject: Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln
Message-ID: <20011114023623.C4430@endovellico.netcabo.pt>

On 13.11.2001 16:25 zeno wrote:

> Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver

> If htaccess is used to password protect a directory, it is possible an
> attacker can access data behind the password protected area by knowing
> the name of the file he wants to view without a valid login. This also
> works on htpasswd files in general, which are protected by the webserver
> itself so that it cannot be readable by the web. A request like the one
> below will gladly feed the contents of a .htpasswd file.

  Couldn't reproduce the described behavior running thttpd 2.20b on freebsd
and linux (with and without chroot)

  Requesting any file before authenticating:

"Authorization required for the URL '/bar/foo.txt/'."
"Authorization required for the URL '/bar/.htpasswd/'."
"The requested URL '/bar/duh/' was not found on this server."
     Requesting .htpasswd after basic authentication:

"The requested URL '/bar/.htpasswd/' is an authorization file, retrieving it is

  Requesting unreadable file (mode 600) before authentication:

"The requested URL '/bar/foo.txt/' resolves to a file that is not world-readabl

--
EOF

---

• Previous message: 3APA3A: "more RADIUS authentication attack scenarios"
• In reply to: zeno: "Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln"
• Next in thread: zeno: "Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln"
• Reply: zeno: "Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln ... Subject: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln ... >> If htaccess is used to password protect a directory, ... >> works on htpasswd files in general, which are protected by the webserver ... with the chroot option also. ... (Bugtraq) Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln ... Subject: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln ... >>> If htaccess is used to password protect a directory, ... The vendor was also able to reproduce this ... > Did you download it within the last 2 weeks? ... (Bugtraq) Password protecting a portion of my website ... I have a website and I want to add some pages, but have only those new pages ... Can you tell me if following the above instructions will password protect ... User prompt pops up, requesting a password. ... (microsoft.public.windows.inetexplorer.ie6.browser)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)