Acme thttpd Arbitrary World-Readable File Disclosure Vulnerability

Acme thttpd HTTP server includes a CGI program external to thttpd called "ssi", which provides the functionality of the built-in server-side-includes feature in some HTTP daemons.

Names of files to be filtered through the ssi script are passed to ssi via the PATH_TRANSLATED environment variable. Certain escape sequences are not properly filtered by ssi. As a result, by submitting malicious URLs (using hex-escaped ".." sequences to bypass filtering), an attacker can view arbitrary files in known locations anywhere on the web server.


Privacy Statement
Copyright 2010, SecurityFocus