GLSA-200701-28 : thttpd: Unauthenticated remote file access

medium Nessus Plugin ID 24313

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200701-28 (thttpd: Unauthenticated remote file access)

thttpd is vulnerable to an underlying change made to the start-stop-daemon command in the current stable Gentoo baselayout package (version 1.12.6). In the new version, the start-stop-daemon command performs a 'chdir /' command just before starting the thttpd process. In the Gentoo default configuration, this causes thttpd to start with the document root set to '/', the sytem root directory.
Impact :

When thttpd starts with the document root set to the system root directory, all files on the system that are readable by the thttpd process can be remotely accessed by unauthenticated users.
Workaround :

Alter the THTTPD_OPTS variable in /etc/conf.d/thttpd to include the '-d' option to specify the document root. Alternatively, modify the THTTPD_OPTS variable in /etc/conf.d/thttpd to specify a thttpd.conf file using the '-C' option, and then configure the 'dir=' directive in that thttpd.conf file.

Solution

All thttpd users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-servers/thttpd-2.25b-r5'

See Also

https://security.gentoo.org/glsa/200701-28

Plugin Details

Severity: Medium

ID: 24313

File Name: gentoo_GLSA-200701-28.nasl

Version: 1.12

Type: local

Published: 2/9/2007

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:thttpd, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 1/31/2007

Reference Information

CVE: CVE-2007-0664

GLSA: 200701-28