[23146] in bugtraq
Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln
daemon@ATHENA.MIT.EDU (Klaxon)
Wed Nov 14 17:31:06 2001
Date: Wed, 14 Nov 2001 02:36:23 +0000
From: Klaxon <klaxon@netcabo.pt>
To: zeno <zeno@cgisecurity.net>
Cc: bugtraq@securityfocus.com
Message-ID: <20011114023623.C4430@endovellico.netcabo.pt>
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=ISO-8859-1
In-Reply-To: <200111131625.fADGPdX97513@cgisecurity.net>; from zeno@cgisecurity.net on Tue, Nov 13, 2001 at 16:25:39 +0000
On 13.11.2001 16:25 zeno wrote:
> Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver
> If htaccess is used to password protect a directory, it is possible an
> attacker can access data behind the password protected area by knowing
> the name of the file he wants to view without a valid login. This also
> works on htpasswd files in general, which are protected by the webserver
> itself so that it cannot be readable by the web. A request like the one
> below will gladly feed the contents of a .htpasswd file.
Couldn't reproduce the described behavior running thttpd 2.20b on freebsd
and linux (with and without chroot)
Requesting any file before authenticating:
"Authorization required for the URL '/bar/foo.txt/'."
"Authorization required for the URL '/bar/.htpasswd/'."
"The requested URL '/bar/duh/' was not found on this server."
Requesting .htpasswd after basic authentication:
"The requested URL '/bar/.htpasswd/' is an authorization file, retrieving it is
Requesting unreadable file (mode 600) before authentication:
"The requested URL '/bar/foo.txt/' resolves to a file that is not world-readabl
--
EOF
