[23150] in bugtraq
Re: Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln
daemon@ATHENA.MIT.EDU (Ben Okopnik)
Wed Nov 14 23:25:41 2001
Date: Wed, 14 Nov 2001 20:27:42 -0500
From: Ben Okopnik <fuzzybear@pocketmail.com>
To: zeno <bugtraq@cgisecurity.net>
Cc: Klaxon <klaxon@netcabo.gt>, bugtraq@securityfocus.com
Message-ID: <20011114202742.B31653@Baldur>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200111141842.fAEIgLj08074@cgisecurity.net>
On Wed, Nov 14, 2001 at 06:42:21PM +0000, zeno wrote:
> > On 13.11.2001 16:25 zeno wrote:
> >
> > > Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver
> >
> > > If htaccess is used to password protect a directory, it is possible an
> > > attacker can access data behind the password protected area by knowing
> > > the name of the file he wants to view without a valid login. This also
> > > works on htpasswd files in general, which are protected by the webserver
> > > itself so that it cannot be readable by the web. A request like the one
> > > below will gladly feed the contents of a .htpasswd file.
> >
> > Couldn't reproduce the described behavior running thttpd 2.20b on freebsd
> > and linux (with and without chroot)
> >i
>
> This had been tested on multiple machines. The vendor was also able to reproduce this
> with the chroot option also. Perhaps not all are effected like previously thought.
>
> Did you download it within the last 2 weeks? He put a patch in the version on his site
> with no public notice.
Can't reproduce it on Debian Linux (woody), 2.2.19 kernel, thttpd-2.20b.
Originally downloaded in early August; size comparison and a CRC32 of the
original package against the one at the vendor's site show no differences.
Ben Okopnik
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Access to power must be confined to those who are not in love with it.
-- Plato
