ThHTTPd SSI vulnerability allows retrieval of world-readable files ------------------------------------------------------------------------ SUMMARY The included cgi-bin program "SSI" (combined with a small bug in the <http://www.acme.com/software/thttpd/> thttpd server) allows the viewing of arbitrary files on the remote server. This includes files outside of the web root and files in cgi-bin directory (that would normally only be executed). However, only files readable by the user that the server is running under (usually user 'nobody') can be viewed. This typically limits the exposure to world-readable files only. DETAILS Vulnerable systems: thttpd 2.19 Immune systems: thttpd 2.20 >From SSI(8): This is an external CGI program that gives you the same functionality as the built-in server-side-includes feature in some HTTP daemons. It is written for use with thttpd(8), but should be easy to adapt to other systems. Files to be parsed are passed to SSI as the "pathinfo" (their path is appended to the path to SSI). For example, parsing the file accessible at: http://www.example.com/index.shtml would be referenced by: http://www.example.com/cgi-bin/ssi/index.shtml The pathinfo is appended to the server's working directory and passed to SSI via the PATH_TRANSLATED environment variable. The thttpd process removed any ".." sequences and decodes hex escapes before passing the string to SSI. However, by treating the string in that order, hex escaped ".." sequences (%2e%2e) escape the filter. This is usually not a problem because the server process has additional checks to prevent requests from referring to files outside of the web root. SSI, on the other hand, has no such checks about which files it should process. The pathname passed via PATH_TRANSLATED is used unaltered in fopen(3). Therefore, URLs can be crafted to retrieve any files in known locations on the web server: http://www.example.com/cgi-bin/ssi/cgi-bin/ssi http://www.example.com/cgi-bin/ssi/.htpasswd http://www.example.com/cgi-bin/ssi/cgi-bin/random-cgi.pl http://www.example.com/cgi-bin/ssi//%2e%2e/%2e%2e/<etc...>/etc/passwd (The "//" is needed to fool expand_symlinks() in libhttpd.c) Fix: Jef Poskanzer (the author of thttpd) has merged the patches written by ghandi into thttpd 2.20. Upgrading to 2.20 will prevent SSI from displaying CGI source files, .htpasswd files, or files outside the web server root. thttpd 2.20 is available at: <http://www.acme.com/software/thttpd/thttpd-2.20.tar.gz> http://www.acme.com/software/thttpd/thttpd-2.20.tar.gz -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
