Thttpd 2.19 and below includes a CGI program "ssi" which contains a vulnerability which allows remote users to read any file on the webserver. Exploit examples included. Fix available here.
5cf4c016185b6b2c6b33bf5944ac239ead66ec315980d03e497f790eea3acb5b
thttpd 2.19 (and earlier) server-side-includes
CGI program (ssi) allows retrieval of arbitrary
world-readable files
Date: October 2, 2000
Application: thttpd 2.19 (and before)
Author: ghandi <ghandi@dopesquad.net>
Vendor Status: merged patches into thttpd 2.20
Fix: upgrade into thttpd 2.20
1. Description
The included cgi-bin program "ssi" (combined with a lesser bug in the
thttpd server) allows the viewing of arbitrary files on the remote
server. This includes files outside of the web root and files in
cgi-bin directories (that would normally only be executed). However,
only files readable by the user that the server is running under
(usually user 'nobody') can be viewed. This typically limits the
exposure to world-readable files only.
2. Details
>From ssi(8):
This is an external CGI program that gives you the same
functionality as the built-in server-side-includes feature
in some HTTP daemons. It is written for use with
thttpd(8), but should be easy to adapt to other systems.
Files to be parsed are passed to ssi as the "pathinfo" (their path is
appended to the path to ssi). For example, to parse the file
accessible at:
https://www.example.com/index.shtml
it would be referenced by:
https://www.example.com/cgi-bin/ssi/index.shtml
The pathinfo is appended to the server's working directory and passed
to ssi via the PATH_TRANSLATED environment variable. The thttpd
process removed any ".." sequences and decodes hex escapes before
passing the string to ssi. However, by treating the string in that
order, hex escaped ".." sequences (%2e%2e) escape the filter. This is
usually not a problem because the server process has additional checks
to prevent requests from referring to files outside of the web root.
ssi, on the other hand, has no such checks about which files it should
process. The pathname passed via PATH_TRANSLATED is used unaltered
in fopen(3). Therefore, URLs can be crafted to retrieve any files in
known locations on the web server:
https://www.example.com/cgi-bin/ssi/cgi-bin/ssi
https://www.example.com/cgi-bin/ssi/.htpasswd
https://www.example.com/cgi-bin/ssi/cgi-bin/random-cgi.pl
https://www.example.com/cgi-bin/ssi//%2e%2e/%2e%2e/<etc...>/etc/passwd
(The "//" is needed to fool expand_symlinks() in libhttpd.c)
3. Fix
Jef Poskanzer (the author of thttpd) has merged my patches into thttpd
2.20. Upgrading to 2.20 will prevent ssi from displaying CGI source
files, .htpasswd files, or files outside the web server root.
4. Availability
thttpd 2.20 is available at:
https://www.acme.com/software/thttpd/thttpd-2.20.tar.gz
This advisory (and others) will be posted at:
https://www.dopesquad.net/security