Re: bozo .htpasswd exposure

[JP <rlntlss83%gmail.com@localhost>]

/abc/.htpasswd => results in 403

/.htpasswd => exposes encrypted passwords

So there's a conditional at line 1478 of bozohttpd that can bypass the check_special_files call.  Basename is null in the case of "/.htpasswd" for some reason and the call is therefore bypassed.

(Additionally, the "|| basename[1]" part of the if clause seems to make assumptions of the contents of basename[0] and it seems could lead to bypassing the check_special_files call in the case of one-character-long directory names; but this statement needs more research)

JP

On Tue, Nov 20, 2018 at 9:36 AM JP <rlntlss83%gmail.com@localhost> wrote:

I see it.  I don't know why my .htpasswd is exposed then.  I'll keep digging..

On Tue, Nov 20, 2018 at 9:34 AM Martin Husemann <martin%duskware.de@localhost> wrote:

On Tue, Nov 20, 2018 at 03:31:44PM +0100, Martin Husemann wrote:
> On Tue, Nov 20, 2018 at 09:19:55AM -0500, JP wrote:
> > I don't see any code preventing the exposure of the file
>
> AUTH_FILE is missing from bozo_check_special_files() ?

No, that one calls bozo_auth_check_special_files() and there is the check
that you are looking for.

Martin