Tutorial - thttpd Vulnerabilities

thttpd Vulnerabilities

Created 5/7/03
CAN 1999-1457
CVE 2000-0359
CAN 2001-0892
CAN 2002-1562

Impact

A remote attacker could gain unauthorized read access or execute arbitrary commands.

Background

thttpd is a Unix web server designed to be small, simple, fast, and secure.

thttp supports virtual hosts, which is a web server configuration allowing multiple web sites to be hosted on the same server.

mini_httpd is another Unix web server by the same developers as thttpd. It was developed mainly for experimentation.

The Problems

Virtual Host Directory Traversal

5/7/03
CAN 2002-1562
If virtual hosting is enabled, a remote attacker could view files outside of the web root directory by supplying an HTTP Host: header containing slash-dot-dot (/..) sequences. If thttpd is run with chroot, an attack would be limited to the top of the chroot tree. Otherwise, the attacker could view any file on the entire disk.

Buffer Overflows in Date Parsing

CAN 1999-1457
CVE 2000-0359
thttpd versions prior to 2.0.5 are affected by a buffer overflow in the tdate_parse function. A remote attacker could execute arbitrary commands by including a long, specially crafted value in the If-Modified-Since: header within an HTTP request.

Permissions Bypass on Protected Files

CAN 2001-0892
When the chroot option is enabled, thttpd does not properly handle requests for protected files. By appending a trailing slash to a request, a remote attacker could view files which should not be readable, such as files in password protected directories.

Resolution

Upgrade to the latest version of thttpd or mini_httpd.

Where can I read more about this?

The directory traversal vulnerability in virtual hosting was posted to the thttpd users list.

The buffer overflow in date parsing was posted to Bugtraq.

The permissions bypass vulnerability was posted to Bugtraq.