Subject: pkg/22198: thttpd virtual hosting security hole
To: None <gnats-bugs@gnats.netbsd.org>
From: Tyler Mitchell <fission@styrophone.net>
List: netbsd-bugs
Date: 07/20/2003 11:56:36
>Number: 22198
>Category: pkg
>Synopsis: thttpd virtual hosting security hole
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jul 20 18:57:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: Tyler Mitchell
>Release: NetBSD 1.6_STABLE
>Organization:
styrophone.net
>Environment:
NetBSD nucleus.styrophone.net 1.6_STABLE NetBSD 1.6_STABLE (NUCLEUS) #0: Thu Jan 23 01:26:54 PST 2003 fission@nucleus:/usr/src/sys/arch/i386/compile/NUCLEUS i386
>Description:
I'm a subscriber to the mini_httpd mailing list, and received this e-mail last
year. Later, when I wanted to use thttpd, I realised that nobody (including
the author himself!) had fixed this security hole. Here is the original
message from the author:
---------- Forwarded message ----------
Date: Thu, 31 Oct 2002 10:56:00 -0800
From: Jef Poskanzer <jef@acme.com>
To: mini_httpd@bomb.acme.com
Subject: [MINI_HTTPD] thttpd/mini_httpd security hole
Marcus Breiing noticed a nifty little hole in thttpd and mini_httpd.
If you are using virtual hosting, and an attacker supplies a jiggered
Host: header with ../.. in it, he can look at the top of the chroot
tree. If you're not using chroot he can browse your entire disk.
(You really should be using chroot.)
>How-To-Repeat:
Start thttpd with virtual hosting turned on.
Manually submit a HTTP/1.1 request containing a Host: header with ../..
>Fix:
(This was supplied by the author in that same e-mail.)
*** libhttpd.c 2002/05/27 01:28:01 1.47
--- libhttpd.c 2002/10/31 18:11:24
***************
*** 2096,2101 ****
--- 2112,2122 ----
cp = strchr( hc->hdrhost, ':' );
if ( cp != (char*) 0 )
*cp = '\0';
+ if ( strchr( hc->hdrhost, '/' ) != (char*) 0 )
+ {
+ httpd_send_err( hc, 400, httpd_err400title, "", httpd_err400form, "" );
+ return -1;
+ }
}
else if ( strncasecmp( buf, "Accept:", 7 ) == 0 )
{
>Release-Note:
>Audit-Trail:
>Unformatted: