Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via requests that contain '<' or '>' characters, which trigger the overflow when the characters are expanded to "&lt;" and "&gt;" sequences.

Several vulnerabilities have been discovered in thttpd, a tiny HTTP server.

The Common Vulnerabilities and Exposures project identifies the following vulnerabilities :

  - CAN-2002-1562: Information leak     Marcus Breiing discovered that if thttpd it is used for     virtual hosting, and an attacker supplies a specially     crafted 'Host:' header with a pathname instead of a     hostname, thttpd will reveal information about the host     system. Hence, an attacker can browse the entire disk.

  - CAN-2003-0899: Arbitrary code execution     Joel Soderberg and Christer Oberg discovered a remote     overflow which allows an attacker to partially overwrite     the EBP register and hence execute arbitrary code.

The remote host is running a vulnerable version of Acme thttpd. It is reported that versions prior 2.24 are prone to an issue that may permit an attacker to access arbitrary files on the vulnerable web server when virtual hosting is enabled. In a chrooted environment, this may only disclose directories under the chroot. 

The remote host is running a vulnerable version of Acme mini_httpd. It is reported that versions prior 1.18 are prone to an issue that may permit an attacker to access arbitrary files on the vulnerable web server when virtual hosting is enabled. In a chrooted environment, this may only disclose directories under the chroot. 

The remote host is using an old version of thttpd which is vulnerable to a directory traversal when virtual hosting is enabled. An attacker may use this flaw to read arbitrary files on the remote host.

The remote host is missing the patch for the advisory SuSE-SA:2003:044 (thttpd).


Two vulnerabilities were found in the 'tiny' web-server thttpd.
The first bug is a buffer overflow that can be exploited remotely to overwrite the EBP register of the stack. Due to memory-alignment of the stack done by gcc 3.x this bug can not be exploited. All thttpd versions mentioned in this advisory are compiled with gcc 3.x and are therefore not exploitable.
The other bug occurs in the virtual-hosting code of thttpd. A remote attacker can bypass the virtual-hosting mechanism to read arbitrary files.

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.

The remote HTTP server allows anyone to browse the files on the remote host by sending HTTP requests with a Host: field set to '../../'.

ID	Name	Product	Family	Severity
15233	Debian DSA-396-1 : thttpd - missing input sanitizing, wrong calculation	Nessus	Debian Local Security Checks	high
2125	thttpd/mini_httpd < 2.24 Virtual Hosting File Disclosure	Nessus Network Monitor	Web Servers	high
2124	thttpd/mini_httpd Virtual Hosting File Disclosure	Nessus Network Monitor	Web Servers	high
1550	thttpd < 2.24 Host:' Header Traversal File Access / libhttpd.c defang Overflow	Nessus Network Monitor	Web Servers	high
13812	SuSE-SA:2003:044: thttpd	Nessus	SuSE Local Security Checks	high
11576	thttpd Host Header Traversal Arbitrary File Access	Nessus	Web Servers	medium

Detections

Analytics

CVE-2003-0899

critical

Tenable Plugins

high

high

high

high

high

medium