[prev in list] [next in list] [prev in thread] [next in thread]
List: thttpd
Subject: [THTTPD] thttpd/mini_httpd security hole
From: Jef Poskanzer <jef () acme ! com>
Date: 2002-10-31 18:56:00
[Download RAW message or body]
Marcus Breiing noticed a nifty little hole in thttpd and mini_httpd.
If you are using virtual hosting, and an attacker supplies a jiggered
Host: header with ../.. in it, he can look at the top of the chroot
tree. If you're not using chroot he can browse your entire disk.
(You really should be using chroot.)
I'll try to put out releases today with the fix for this, but meanwhile
here's a patch. For thttpd:
*** libhttpd.c 2002/05/27 01:28:01 1.47
--- libhttpd.c 2002/10/31 18:11:24
***************
*** 2096,2101 ****
--- 2112,2122 ----
cp = strchr( hc->hdrhost, ':' );
if ( cp != (char*) 0 )
*cp = '\0';
+ if ( strchr( hc->hdrhost, '/' ) != (char*) 0 )
+ {
+ httpd_send_err( hc, 400, httpd_err400title, "", httpd_err400form, "" );
+ return -1;
+ }
}
else if ( strncasecmp( buf, "Accept:", 7 ) == 0 )
{
And for mini_httpd:
*** mini_httpd.c 2002/05/27 01:49:42 1.33
--- mini_httpd.c 2002/10/31 18:07:03
***************
*** 1153,1158 ****
--- 1161,1168 ----
cp = &line[5];
cp += strspn( cp, " \t" );
host = cp;
+ if ( strchr( host, '/' ) != (char*) 0 )
+ send_error( 400, "Bad Request", "", "Can't parse request." );
}
else if ( strncasecmp( line, "If-Modified-Since:", 18 ) == 0 )
{
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic