VULHUB ™

Acme THTTPD and Mini_HTTPD are both small web servers and will run on Freebsd, SunOs, Solaris, Linux, and other Unix operating systems. They are freely available and maintained by Acme Laboratories. Both of these programs are prone to an issue which may allow a remote attacker to make a specially crafted web request which is capable of displaying arbitrary files on a vulnerable host. This may occur if the attacker appends a '/' to a request for an existing files. Files that exist in protected directories or that are marked 403(but not world-readable) may be retrieved in this manner. This issue may be taken advantage of to retrieve '.htpasswd' files. It should be noted that THTTPD Secure Webserver is only prone to this issue when the 'chroot' option is enabled. Mini_HTTPD is affected regardless of any settings. Though the vendor has acknowledged and patched the problem, there have been reports that some environments may not be vulnerable to this issue. For example, systems running...

Acme THTTPD and Mini_HTTPD are both small web servers and will run on Freebsd, SunOs, Solaris, Linux, and other Unix operating systems. They are freely available and maintained by Acme Laboratories. Both of these programs are prone to an issue which may allow a remote attacker to make a specially crafted web request which is capable of displaying arbitrary files on a vulnerable host. This may occur if the attacker appends a '/' to a request for an existing files. Files that exist in protected directories or that are marked 403(but not world-readable) may be retrieved in this manner. This issue may be taken advantage of to retrieve '.htpasswd' files. It should be noted that THTTPD Secure Webserver is only prone to this issue when the 'chroot' option is enabled. Mini_HTTPD is affected regardless of any settings. Though the vendor has acknowledged and patched the problem, there have been reports that some environments may not be vulnerable to this issue. For example, systems running Acme thttpd 2.20b on FreeBSD and some Linux distributions.