| VID |
22237 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The HTTP server has a directory traversal vulnerability via "dot dot" sequences in the Host: header. thttpd and mini_httpd, developed by Acme Labs, are free Web server daemons available for most Unix-based operating systems. thttpd versions prior to 2.13 and mini_httpd versions prior to 1.08 could allow a remote attacker to traverse directories on the Web server. If virtual hosting is enabled on the affected system, by submitting a directory traversal sequence in the Host: header field of an HTTP request, remote attackers could gain unauthorized access to files on the system.
* References:
http://marc.theaimsgroup.com/?l=thttpd&m=103609565110472&w=2
http://news.php.net/article.php?group=php.cvs&article=15698
* Platforms Affected:
mini_httpd prior to 1.08
thttpd prior to 2.13
Linux Any version
Unix Any version |
| Recommendation |
For thttpd:
Upgrade to the latest version of thttpd (2.23 or later), available from the thttpd Web page at http://www.acme.com/software/thttpd/
For mini_httpd:
Upgrade to the latest version of mini_httpd (1.17 or later), available from the mini_httpd Web page at http://www.acme.com/software/mini_httpd/
For Debian GNU/Linux:
Upgrade to the latest thttpd package, as listed in Debian Security Advisory DSA-396-1 http://www.debian.org/security/2003/dsa-396
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2002-1562 (CVE) |
| Related URL |
8924 (SecurityFocus) |
| Related URL |
11897 (ISS) |
|
