Vulners
Lucene search
thttpd-219.txt
` thttpd 2.19 (and earlier) server-side-includes
CGI program (ssi) allows retrieval of arbitrary
world-readable files
Date: October 2, 2000
Application: thttpd 2.19 (and before)
Author: ghandi <[email protected]>
Vendor Status: merged patches into thttpd 2.20
Fix: upgrade into thttpd 2.20
1. Description
The included cgi-bin program "ssi" (combined with a lesser bug in the
thttpd server) allows the viewing of arbitrary files on the remote
server. This includes files outside of the web root and files in
cgi-bin directories (that would normally only be executed). However,
only files readable by the user that the server is running under
(usually user 'nobody') can be viewed. This typically limits the
exposure to world-readable files only.
2. Details
>From ssi(8):
This is an external CGI program that gives you the same
functionality as the built-in server-side-includes feature
in some HTTP daemons. It is written for use with
thttpd(8), but should be easy to adapt to other systems.
Files to be parsed are passed to ssi as the "pathinfo" (their path is
appended to the path to ssi). For example, to parse the file
accessible at:
http://www.example.com/index.shtml
it would be referenced by:
http://www.example.com/cgi-bin/ssi/index.shtml
The pathinfo is appended to the server's working directory and passed
to ssi via the PATH_TRANSLATED environment variable. The thttpd
process removed any ".." sequences and decodes hex escapes before
passing the string to ssi. However, by treating the string in that
order, hex escaped ".." sequences (%2e%2e) escape the filter. This is
usually not a problem because the server process has additional checks
to prevent requests from referring to files outside of the web root.
ssi, on the other hand, has no such checks about which files it should
process. The pathname passed via PATH_TRANSLATED is used unaltered
in fopen(3). Therefore, URLs can be crafted to retrieve any files in
known locations on the web server:
http://www.example.com/cgi-bin/ssi/cgi-bin/ssi
http://www.example.com/cgi-bin/ssi/.htpasswd
http://www.example.com/cgi-bin/ssi/cgi-bin/random-cgi.pl
http://www.example.com/cgi-bin/ssi//%2e%2e/%2e%2e/<etc...>/etc/passwd
(The "//" is needed to fool expand_symlinks() in libhttpd.c)
3. Fix
Jef Poskanzer (the author of thttpd) has merged my patches into thttpd
2.20. Upgrading to 2.20 will prevent ssi from displaying CGI source
files, .htpasswd files, or files outside the web server root.
4. Availability
thttpd 2.20 is available at:
http://www.acme.com/software/thttpd/thttpd-2.20.tar.gz
This advisory (and others) will be posted at:
http://www.dopesquad.net/security
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Oct 2000 00:00Current
7.4High risk
Vulners AI Score7.4