OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: zeno (zenocgisecurity.net)
Date: Tue Nov 13 2001 - 10:23:11 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,

    The vendor has already sent out notices and the patches can be found
    on the vendors homepage listed below.

    - zenocgisecurity.com

                                       [ Cgi Security Advisory #6 ]
                                         admincgisecurity.com
                             Thttpd and Mini_Httpd Webserver Permission Bypass

    Found
    November 2001

    Public Release
    November 2001

    Vendor Contacted
    November 2001

    Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver
    Price: Free

    Versions:
    All versions appear to be effected

    Platforms:
    Freebsd, SunOs, Solaris, Linux, Other Unix

    Vendor:
    http://www.acme.com

    1. Problem

    The problem lies in the way the httpd daemon handles file requests.
    If a file is marked 403(not world readable), or is in a directory
    that is password protected, then it is possible to remotely view these
    files. The thttpd webserver is only effected when the chroot option is
    used(Kinda ironic), and all versions of mini_httpd webserver appear to
    be affected.

    If htaccess is used to password protect a directory, it is possible an
    attacker can access data behind the password protected area by knowing
    the name of the file he wants to view without a valid login. This also
    works on htpasswd files in general, which are protected by the webserver
    itself so that it cannot be readable by the web. A request like the one
    below will gladly feed the contents of a .htpasswd file.

    http://host/protected-dir/.htpasswd/ (Notice the / on the end)

    2. Fixes

    The vendor has been contacted about this issue.
    Check the vendor webpage for newer webserver versions
    along with patches at the links below.

    PATCH INFORMATION
    http://www.acme.com/software/thttpd/
    http://www.acme.com/software/mini_httpd/

    ******************************************************************************************
                                     THTTPD VENDOR PATCH BELOW THIS LINE
    ******************************************************************************************

    <--- Insert patch here --->

    *** libhttpd.c.old Mon Nov 12 17:44:18 2001
    --- libhttpd.c Mon Nov 12 16:28:42 2001
    ***************
    *** 1422,1429 ****
            struct stat sb;
            if ( stat( path, &sb ) != -1 )
                {
    ! httpd_realloc_str( &checked, &maxchecked, strlen( path ) );
                (void) strcpy( checked, path );
                httpd_realloc_str( &rest, &maxrest, 0 );
                rest[0] = '\0';
                *restP = rest;
    --- 1447,1461 ----
            struct stat sb;
            if ( stat( path, &sb ) != -1 )
                {
    ! checkedlen = strlen( path );
    ! httpd_realloc_str( &checked, &maxchecked, checkedlen );
                (void) strcpy( checked, path );
    + /* Trim trailing slashes. */
    + while ( checked[checkedlen - 1] == '/' )
    + {
    + checked[checkedlen - 1] = '\0';
    + --checkedlen;
    + }
                httpd_realloc_str( &rest, &maxrest, 0 );
                rest[0] = '\0';
                *restP = rest;

    <--- End of patch --->

    Published to the Public November 2001
    Copyright November 2001 Cgisecurity.com