A remote attacker could gain unauthorized read access or
execute arbitrary commands.
is a Unix web server designed to be small, simple, fast,
thttp supports virtual hosts, which is a web server
configuration allowing multiple web sites to be hosted on the
another Unix web server by the same developers as thttpd.
It was developed mainly for experimentation.
Also note that FREESCO
routing software embeds a thttpd server.
Terminal Escape Sequence in Logs Command Injection Vulnerability
Acme thttpd 2.25b and prior are prone to a command-injection vulnerability
because they fail to adequately sanitize user-supplied input in logfiles.
Attackers can exploit this issue to execute arbitrary commands in a terminal.
htpasswd Local Privilege Elevation
htpasswd, as used in thttpd has several local privilege
elevation vulnerabilities including those caused by shell
metacharacters, overly long command line arguments and an
overly long line in a file. Versions of thttpd up to and
including 2.25b are vulnerable.
CGI example Cross-Site Scripting
The example CGI script is vulnerable to cross-site
scripting via the test parameter.
A cross-site scripting vulnerability could be exploited by a malicious
web site to trick an unsuspecting user into executing arbitrary commands
on his or her own computer. One possible outcome would be for the
attacker to steal cookies from the user's web browser, which often
contain authentication data that could be used to gain unauthorized
access to web applications.
It is reported that thttpd 2.05 is vulnerable but other versions
are likely to be vulnerable.
defang Buffer Overflow
thttpd versions prior to 2.24 contain a remotely exploitable
buffer overflow in the defang() function in
libhttpd.c that allows execution of arbitrary code
on the vulnerable host. The vulnerability can be exploited by
sending a request that contains "<" or ">" characters, which
trigger the overflow when the characters are expanded to "&lt;"
and "&gt;" sequences.
Virtual Host Directory Traversal
If virtual hosting is enabled, a remote attacker could view
files outside of the web root directory by supplying an
HTTP Host: header containing slash-dot-dot
(/..) sequences. If thttpd is run with
chroot, an attack would be limited to the
top of the chroot tree. Otherwise, the attacker
could view any file on the entire disk.
Buffer Overflows in Date Parsing
thttpd versions prior to 2.05 are affected by
a buffer overflow in the tdate_parse function.
A remote attacker could execute arbitrary commands by
including a long, specially crafted value in the
If-Modified-Since: header within an HTTP
Permissions Bypass on Protected Files
When the chroot option is enabled,
thttpd does not properly handle requests for protected files.
By appending a trailing slash to a request, a remote attacker
could view files which should not be readable, such as files
in password protected directories. thttpd versions prior to
2.22 are vulnerable.
The Terminal Escape Sequence in Logs Command Injection vulnerability was reported in
http://www.securityfocus.com/bid/37714 Bugtraq ID 37714.
The htpasswd privilege elevation vulnerability was reported in
http://www.securityfocus.com/bid/16972 Bugtraq ID 16972.
The cross-site scripting vulnerability was reported in http://www.securityfocus.com/bid/9474/ Bugtraq ID 9474.
For information about the defang buffer overflow vulnerability, see
Texonet Security Advisory
The directory traversal vulnerability in virtual hosting was
posted to the http://marc.theaimsgroup.com/?l=thttpd&m=103609565110472&w=2 thttpd users list.
The buffer overflow in date parsing was posted to
http://www.securityfocus.com/archive/1/34635 Bugtraq archive 342584.
The permissions bypass vulnerability was posted to
http://www.securityfocus.com/archive/1/239964 Bugtraq archive 239964.
Low Attack Complexity, Partial Confidentiality Impact, Partial Integrity Impact, Complete Availability Impact