Date: Wed, 19 Aug 1998 17:27:00 -0700
From: Marc Slemko <[email protected]>
To: [email protected]Subject: thttpd 2.04 released (fwd)
FYI, anyone using thttpd should take note of the below and ensure they
aren't vulnerable.
The exploit is obvious from the fix so I won't belabour the point.
---------- Forwarded message ----------
Date: Mon, 10 Aug 1998 19:24:57 -0700
From: Jef Poskanzer <[email protected]>
To: [email protected]
Cc: Marc Slemko <[email protected]>
Subject: thttpd 2.04 released
Marc Slemko discovered a fairly serious security problem in thttpd.
If you're not running chrooted, an attacker can use this bug to
read files outside of your document tree, for instance /etc/passwd.
Obviously this warrants an immediate patch release.
If you are running thttpd chrooted (i.e. you start it as root),
then you are safe from this bug. Better install the fix anyway
though.
New in version 2.04:
- The simple mmap cache added in version 2.01 is now more aggressive,
improving performance when a small set of files gets fetched a while lot.
- Fixed bug in filename translation.
Tarchive available as usual at http://www.acme.com/software/thttpd/
If all you want is the bug fix, a patch for just that is appended.
---
Jef
Jef Poskanzer [email protected]http://www.acme.com/jef/
*** /tmp/,RCSt101alaP Mon Aug 10 19:09:49 1998
--- libhttpd.c Mon Aug 10 19:09:31 1998
***************
*** 975,980 ****
--- 975,986 ----
(void) strcpy( rest, path );
if ( rest[restlen - 1] == '/' )
rest[--restlen] = '\0'; /* trim trailing slash */
+ /* Remove any leading slashes. */
+ while ( rest[0] == '/' )
+ {
+ (void) strcpy( rest, &(rest[1]) );
+ --restlen;
+ }
r = rest;
nlinks = 0;
