[LWN Logo]
[Timeline]
Date:         Mon, 2 Oct 2000 13:23:45 -0600
Subject:      thttpd ssi: retrieval of arbitrary world-readable files
To: BUGTRAQ@SECURITYFOCUS.COM

            thttpd 2.19 (and earlier) server-side-includes
           CGI program (ssi) allows retrieval of arbitrary
                         world-readable files
        
                Date:           October 2, 2000
                Application:    thttpd 2.19 (and before)
                Author:         ghandi <ghandi@dopesquad.net>
                Vendor Status:  merged patches into thttpd 2.20
                Fix:            upgrade into thttpd 2.20
                
1.  Description

The included cgi-bin program "ssi" (combined with a lesser bug in the
thttpd server) allows the viewing of arbitrary files on the remote
server.  This includes files outside of the web root and files in
cgi-bin directories (that would normally only be executed).  However,
only files readable by the user that the server is running under
(usually user 'nobody') can be viewed.  This typically limits the
exposure to world-readable files only.

2.  Details

>From ssi(8):
    This  is  an  external CGI program that gives you the same
    functionality as the built-in server-side-includes feature
    in  some  HTTP  daemons.   It  is  written  for  use  with
    thttpd(8), but should be easy to adapt to other systems.

Files to be parsed are passed to ssi as the "pathinfo" (their path is
appended to the path to ssi).  For example, to parse the file
accessible at:
    http://www.example.com/index.shtml
it would be referenced by:
    http://www.example.com/cgi-bin/ssi/index.shtml

The pathinfo is appended to the server's working directory and passed
to ssi via the PATH_TRANSLATED environment variable.  The thttpd
process removed any ".." sequences and decodes hex escapes before
passing the string to ssi.  However, by treating the string in that
order, hex escaped ".." sequences (%2e%2e) escape the filter.  This is
usually not a problem because the server process has additional checks
to prevent requests from referring to files outside of the web root.

ssi, on the other hand, has no such checks about which files it should
process.  The pathname passed via PATH_TRANSLATED is used unaltered
in fopen(3).  Therefore, URLs can be crafted to retrieve any files in
known locations on the web server:

http://www.example.com/cgi-bin/ssi/cgi-bin/ssi

http://www.example.com/cgi-bin/ssi/.htpasswd

http://www.example.com/cgi-bin/ssi/cgi-bin/random-cgi.pl

http://www.example.com/cgi-bin/ssi//%2e%2e/%2e%2e/<etc...>/etc/passwd

(The "//" is needed to fool expand_symlinks() in libhttpd.c)

3. Fix
Jef Poskanzer (the author of thttpd) has merged my patches into thttpd
2.20.  Upgrading to 2.20 will prevent ssi from displaying CGI source
files, .htpasswd files, or files outside the web server root.

4. Availability

thttpd 2.20 is available at:
http://www.acme.com/software/thttpd/thttpd-2.20.tar.gz

This advisory (and others) will be posted at:
http://www.dopesquad.net/security