Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
thttpd 'Host' Header Directory Traversal Flaw May Disclose Files to Remote Users
|
|
SecurityTracker Alert ID: 1008031
|
|
CVE Reference: CAN-2002-1562
(Links to External Site)
|
Date: Oct 29 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 2.24
|
Description: A vulnerability was reported in the thttpd web server. A remote user can view files on the server that are located outside of the document directory when virtual hosting is enabled.
In October 2002, Jef Poskanzer reported that a remote user can supply a specially crafted 'Host:' header containing the '../..' directory
traversal character string to view files at the top of the chroot tree. If chroot is not used, the remote user can view files located
anywhere on the disk.
Marcus Breiing is credited with discovery.
|
Impact: If virtual hosting is enabled, a remote user can view files on the system that are located outside of the intended document directory and are readable with the privileges of the thttpd process.
|
Solution: The vendor has released a fixed version (2.24), available at:
http://www.acme.com/software/thttpd/thttpd-2.24.tar.gz
A patch is also available in the Source Message.
|
Vendor URL: www.acme.com/software/thttpd/thttpd.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 29 Oct 2003 08:36:05 -0500
Subject: [THTTPD] thttpd/mini_httpd security hole
|
List: thttpd
Subject: [THTTPD] thttpd/mini_httpd security hole
From: Jef Poskanzer <jef () acme ! com>
Date: 2002-10-31 18:56:00
Marcus Breiing noticed a nifty little hole in thttpd and mini_httpd.
If you are using virtual hosting, and an attacker supplies a jiggered
Host: header with ../.. in it, he can look at the top of the chroot
tree. If you're not using chroot he can browse your entire disk.
(You really should be using chroot.)
I'll try to put out releases today with the fix for this, but meanwhile
here's a patch. For thttpd:
*** libhttpd.c 2002/05/27 01:28:01 1.47
--- libhttpd.c 2002/10/31 18:11:24
***************
*** 2096,2101 ****
--- 2112,2122 ----
cp = strchr( hc->hdrhost, ':' );
if ( cp != (char*) 0 )
*cp = '\0';
+ if ( strchr( hc->hdrhost, '/' ) != (char*) 0 )
+ {
+ httpd_send_err( hc, 400, httpd_err400title, "", httpd_err400form, "" );
+ return -1;
+ }
}
else if ( strncasecmp( buf, "Accept:", 7 ) == 0 )
{
And for mini_httpd:
*** mini_httpd.c 2002/05/27 01:49:42 1.33
--- mini_httpd.c 2002/10/31 18:07:03
***************
*** 1153,1158 ****
--- 1161,1168 ----
cp = &line[5];
cp += strspn( cp, " \t" );
host = cp;
+ if ( strchr( host, '/' ) != (char*) 0 )
+ send_error( 400, "Bad Request", "", "Can't parse request." );
}
else if ( strncasecmp( line, "If-Modified-Since:", 18 ) == 0 )
{
|
|
Go to the Top of This SecurityTracker Archive Page
|
