Title: Acme thttpd Directory Traversal Vulnerability
Severity: MODERATE
Description:
thttpd is an HTTP server implementation that is maintained by Acme. It is intended to run on Unix/Linux variants. There is a port available to run on Microsoft Windows platforms.
It is reported that thttpd is susceptible to a directory traversal vulnerability. This issue presents itself due to insufficient sanitization of user-supplied data. This issue only exists in the Windows port of the application, as it does not correctly take into consideration the environmental attributes of file system access in applications.
Specifically, if an attacker requests a file from an affected thttpd server that contains drive letters, or backslash characters, it will not be correctly sanitized. This will result in improper access to potentially sensitive files located outside of the document root of the web server.
This issue may allow an attacker to retrieve arbitrary, potentially sensitive files, from the affected host computer, as the user that the thttpd process is running as.
Version 2.07 beta 0.4 of thttpd, running on a Microsoft Windows platform is reported vulnerable to this issue.
Affected Products:
- Acme thttpd 2.0.7 beta 0.4
References:
- Acme: Acme software thttpd
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
