COMMAND

    thttpd

SYSTEMS AFFECTED

    thttpd 2.19 (and before)

PROBLEM

    'ghandi'  found  following.   The  included  cgi-bin program "ssi"
    (combined  with  a  lesser  bug  in  the thttpd server) allows the
    viewing of arbitrary  files on the  remote server.   This includes
    files outside  of the  web root  and files  in cgi-bin directories
    (that  would  normally  only  be  executed).   However, only files
    readable by  the user  that the  server is  running under (usually
    user 'nobody') can be viewed.  This typically limits the  exposure
    to world-readable files only.

    From ssi(8):

        This  is  an  external CGI program that gives you the same
        functionality as the built-in server-side-includes feature
        in  some  HTTP  daemons.   It  is  written  for  use  with
        thttpd(8), but should be easy to adapt to other systems.

    Files to be parsed are passed to ssi as the "pathinfo" (their path
    is appended to the path to  ssi).  For example, to parse  the file
    accessible at:

        http://www.example.com/index.shtml

    it would be referenced by:

        http://www.example.com/cgi-bin/ssi/index.shtml

    The pathinfo  is appended  to the  server's working  directory and
    passed to ssi via  the PATH_TRANSLATED environment variable.   The
    thttpd process removed any ".." sequences and decodes hex  escapes
    before  passing  the  string  to  ssi.   However,  by treating the
    string in that order,  hex escaped ".." sequences  (%2e%2e) escape
    the filter.   This is  usually not  a problem  because the  server
    process has additional checks  to prevent requests from  referring
    to files outside of the web root.

    ssi, on the other  hand, has no such  checks about which files  it
    should process.  The  pathname passed via PATH_TRANSLATED  is used
    unaltered in fopen(3).  Therefore, URLs can be crafted to retrieve
    any files in known locations on the web server:

        http://www.example.com/cgi-bin/ssi/cgi-bin/ssi
        http://www.example.com/cgi-bin/ssi/.htpasswd
        http://www.example.com/cgi-bin/ssi/cgi-bin/random-cgi.pl
        http://www.example.com/cgi-bin/ssi//%2e%2e/%2e%2e/<etc...>/etc/passwd

    (The "//" is needed to fool expand_symlinks() in libhttpd.c)

SOLUTION

    Upgrade into thttpd 2.20.  Upgrading to 2.20 will prevent ssi from
    displaying CGI source files, .htpasswd files, or files outside the
    web server root.  thttpd 2.20 is available at:

        http://www.acme.com/software/thttpd/thttpd-2.20.tar.gz

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/thttpd-2.20b.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/thttpd-2.20b.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/thttpd-2.20b.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/thttpd-2.20b.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/thttpd-2.20b.tgz