Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   mini_httpd Vendors:   Acme Laboratories
mini_httpd Web Server Discloses Password-Protected and Non-Readable Files to Remote Users
SecurityTracker Alert ID:  1002743
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Nov 13 2001
Original Entry Date:  Nov 13 2001
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): All versions appear to be affected
Description: reported a vulnerability in the mini_httpd web server. A remote user can view password-protected files without authentication.

A remote user can reportedly view files on the server that are not readable by the web server account or are in a password-protected directory.

If htaccess is used to password-protect a directory, a remote user can access files in the directory without authentication if the users knows the file name.

For example, the following URL request will return the .htpasswd file:

http://[targethost]/protected-dir/.htpasswd/ (Notice the / on the end)

Impact:   A remote user can access files on the web server that are intended to be inaccessible.
Solution:   The vendor has released a fixed version, available at the Vendor URL. A patch is also included in Source Message.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [VulnWatch] Advisory #6: Thttpd and mini_httpd Permission Bypass Vuln


The vendor has already sent out notices and the patches can be found
on the vendors homepage listed below.


                                   [ Cgi Security Advisory #6 ]
                         Thttpd and Mini_Httpd Webserver Permission Bypass

November 2001

Public Release
November 2001

Vendor Contacted
November 2001

Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver
Price: Free

All versions appear to be effected

Freebsd, SunOs, Solaris, Linux, Other Unix


1. Problem

The problem lies in the way the httpd daemon handles file requests.
If a file is marked 403(not world readable), or is in a directory 
that is password protected, then it is possible to remotely view these 
files. The thttpd webserver is only effected when the chroot option is 
used(Kinda ironic), and all versions of mini_httpd webserver appear to 
be affected.

If htaccess is used to password protect a directory, it is possible an 
attacker can access data behind the password protected area by knowing 
the name of the file he wants to view without a valid login. This also 
works on htpasswd files in general, which are protected by the webserver
itself so that it cannot be readable by the web. A request like the one
below will gladly feed the contents of a .htpasswd file.

http://host/protected-dir/.htpasswd/ (Notice the / on the end)

2. Fixes

The vendor has been contacted about this issue.
Check the vendor webpage for newer webserver versions
along with patches at the links below.


                                 THTTPD VENDOR PATCH BELOW THIS LINE

<--- Insert patch here --->

*** libhttpd.c.old      Mon Nov 12 17:44:18 2001
--- libhttpd.c  Mon Nov 12 16:28:42 2001
*** 1422,1429 ****
        struct stat sb;
        if ( stat( path, &sb ) != -1 )
!           httpd_realloc_str( &checked, &maxchecked, strlen( path ) );
            (void) strcpy( checked, path );
            httpd_realloc_str( &rest, &maxrest, 0 );
            rest[0] = '\0';
            *restP = rest;
--- 1447,1461 ----
        struct stat sb;
        if ( stat( path, &sb ) != -1 )
!           checkedlen = strlen( path );
!           httpd_realloc_str( &checked, &maxchecked, checkedlen );
            (void) strcpy( checked, path );
+           /* Trim trailing slashes. */
+           while ( checked[checkedlen - 1] == '/' )
+               {
+               checked[checkedlen - 1] = '\0';
+               --checkedlen;
+               }
            httpd_realloc_str( &rest, &maxrest, 0 );
            rest[0] = '\0';
            *restP = rest;

<--- End of patch --->

Published to the Public November 2001
Copyright November 2001


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC