thttpd 2.04 stack overflow

[djb () CR YP TO (D. J. Bernstein)]

thttpd is a single-process web server. According to Netcraft, it's used
on 1.82% of all HTTP servers, behind only Apache, IIS, Enterprise, and
Rapidsite. The current version is thttpd 2.04; as far as I know, the
comments below apply to all versions back to 1.90a.

The thttpd web page says that thttpd is simple, small, portable, fast,
and secure; it ``goes to great lengths to protect the web server machine
against attacks and breakins from other sites.'' Sounds good, doesn't it?

Today I glanced at the thttpd 2.04 source code, wondering how seriously
thttpd parsed HTTP If-Modified-Since fields. I was horrified to see that
tdate_parse() scans %[a-zA-Z] into a fixed-size stack buffer.

I tried running thttpd on a throwaway account, and feeding it an
If-Modified-Since line with 1300 x's. It dumped core. This is something
that any attacker on the Internet could do to any thttpd server, taking
down web service until thttpd is restarted.

Presumably, at least on little-endian machines, a careful attacker can
take over the thttpd server---i.e., take over web service, and anything
else running as ``nobody''---by overwriting only two or three bytes of
the return address. But I haven't spent any more time looking at the
code. Perhaps other people here would be interested in investigating
thttpd's security in more detail.

(Disclaimer: I'm writing my own HTTP server.)

---Dan