oss-sec mailing list archives
CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204)
From: Salva Peiró <speirofr () gmail com>
Date: Wed, 12 Dec 2018 16:27:02 +0100
Hi everyone, The mini-httpd daemon (version <= v1.30) shipped in Debian/Ubuntu from [1] is affected by a response discrepancy information exposure (CWE-204) that enables an attacker to remotely enumerate valid htpasswd usernames (RFC 7617). A more detailed advisory can be found at: https://speirofr.appspot.com/files/advisory/SPADV-2018-01.md https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916190 Is there a CVE for this? If not, could one be assigned, please? [1] http://www.acme.com/software/mini_httpd/ Best Regards, -- Salva Peiró. Software Engineer https://speirofr.appspot.com ## Description Requesting an .htpasswd protected URL with a valid username part without providing the corresponding password eg, "user:" per (RFC 7617) causes the mini-httpd to unexpectedly terminate. ~~~ user@box $ curl http://user:@127.0.0.1:8000/auth/ curl: (52) Empty reply from server ~~~ The problem is that the mini_httpd.c:2407 contains a NULL pointer dereference bug that allows a remote attacker to enumerate valid htpasswd usernames (RFC 7617). ## Proposed Fix ~~~
From 62eff179b34cd1435017438ab99ed1906b6cc6c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr () gmail com> Date: Wed, 5 Dec 2018 18:46:46 +0100 Subject: [PATCH] Fix NULL pointer dereference at mini_httpd.c:2407 (SPADV-2018-01) --- mini_httpd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mini_httpd.c b/mini_httpd.c index 03d0cdd..77f030f 100644 --- a/mini_httpd.c +++ b/mini_httpd.c @@ -2404,7 +2404,8 @@ auth_check( char* dirname ) /* Yes. */ (void) fclose( fp ); /* So is the password right? */ - if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 ) + char *cryptpass = crypt( authpass, cryp ); + if ((cryptpass != NULL) && (strcmp(cryptpass, cryp ) == 0) ) { /* Ok! */ remoteuser = line; -- 2.11.0 ~~~ ## Versions affected All versions of mini-httpd below <= v1.30. http://www.acme.com/software/mini_httpd/ Debian: https://packages.debian.org/stretch/mini-httpd Ubuntu: https://launchpad.net/ubuntu/+source/mini-httpd
Current thread:
- CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Salva Peiró (Dec 12)
- Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Salvatore Bonaccorso (Dec 12)