On Wed, Nov 14, 2001 at 06:42:21PM +0000, zeno wrote: > > On 13.11.2001 16:25 zeno wrote: > > > > > Scripts Effected: Thttpd Secure Webserver, and Mini_httpd Webserver > > > > > If htaccess is used to password protect a directory, it is possible an > > > attacker can access data behind the password protected area by knowing > > > the name of the file he wants to view without a valid login. This also > > > works on htpasswd files in general, which are protected by the webserver > > > itself so that it cannot be readable by the web. A request like the one > > > below will gladly feed the contents of a .htpasswd file. > > > > Couldn't reproduce the described behavior running thttpd 2.20b on freebsd > > and linux (with and without chroot) > >i > > This had been tested on multiple machines. The vendor was also able to reproduce this > with the chroot option also. Perhaps not all are effected like previously thought. > > Did you download it within the last 2 weeks? He put a patch in the version on his site > with no public notice. Can't reproduce it on Debian Linux (woody), 2.2.19 kernel, thttpd-2.20b. Originally downloaded in early August; size comparison and a CRC32 of the original package against the one at the vendor's site show no differences. Ben Okopnik -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Access to power must be confined to those who are not in love with it. -- Plato
