thttpd 2.19 (and earlier) server-side-includes CGI program (ssi) allows retrieval of arbitrary world-readable files Date: October 2, 2000 Application: thttpd 2.19 (and before) Author: ghandi Vendor Status: merged patches into thttpd 2.20 Fix: upgrade into thttpd 2.20 1. Description The included cgi-bin program "ssi" (combined with a lesser bug in the thttpd server) allows the viewing of arbitrary files on the remote server. This includes files outside of the web root and files in cgi-bin directories (that would normally only be executed). However, only files readable by the user that the server is running under (usually user 'nobody') can be viewed. This typically limits the exposure to world-readable files only. 2. Details >From ssi(8): This is an external CGI program that gives you the same functionality as the built-in server-side-includes feature in some HTTP daemons. It is written for use with thttpd(8), but should be easy to adapt to other systems. Files to be parsed are passed to ssi as the "pathinfo" (their path is appended to the path to ssi). For example, to parse the file accessible at: http://www.example.com/index.shtml it would be referenced by: http://www.example.com/cgi-bin/ssi/index.shtml The pathinfo is appended to the server's working directory and passed to ssi via the PATH_TRANSLATED environment variable. The thttpd process removed any ".." sequences and decodes hex escapes before passing the string to ssi. However, by treating the string in that order, hex escaped ".." sequences (%2e%2e) escape the filter. This is usually not a problem because the server process has additional checks to prevent requests from referring to files outside of the web root. ssi, on the other hand, has no such checks about which files it should process. The pathname passed via PATH_TRANSLATED is used unaltered in fopen(3). Therefore, URLs can be crafted to retrieve any files in known locations on the web server: http://www.example.com/cgi-bin/ssi/cgi-bin/ssi http://www.example.com/cgi-bin/ssi/.htpasswd http://www.example.com/cgi-bin/ssi/cgi-bin/random-cgi.pl http://www.example.com/cgi-bin/ssi//%2e%2e/%2e%2e//etc/passwd (The "//" is needed to fool expand_symlinks() in libhttpd.c) 3. Fix Jef Poskanzer (the author of thttpd) has merged my patches into thttpd 2.20. Upgrading to 2.20 will prevent ssi from displaying CGI source files, .htpasswd files, or files outside the web server root. 4. Availability thttpd 2.20 is available at: http://www.acme.com/software/thttpd/thttpd-2.20.tar.gz This advisory (and others) will be posted at: http://www.dopesquad.net/security