FreeBSD Security Advisory FreeBSD-SA-01:66.thttpd

FreeBSD Security Advisories security-advisories at
Tue Dec 11 09:01:49 PST 2001


FreeBSD-SA-01:66                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          thttpd port contains remotely vulnerability

Category:       ports
Module:         thttpd
Announced:      2001-12-11
Credits:        GOBBLES SECURITY
Affects:        Ports collection prior to the correction date
Corrected:      2001-11-22 00:10:56 UTC
FreeBSD only:   no

I.   Background

thttpd is a simple, small, portable, fast, and secure HTTP server.

II.  Problem Description

In auth_check(), there is an off-by-one error in computing the amount
of memory needed for storing a NUL terminated string.  Specifically, a
stack buffer of 500 bytes is used to store a string of up to 501 bytes
including the terminating NUL.

III. Impact

Due to the location of the affected buffer on the stack, this bug
can be exploited using ``The poisoned NUL byte'' technique (see
references).  A remote attacker can hijack the thttpd process,
obtaining whatever privileges it has.  By default, the thttpd process
runs as user `nobody'.

IV.  Workaround

1) Deinstall the thttpd port/package if you have it installed.

V.   Solution

1) Upgrade your entire ports collection and rebuild the port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:


Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.

3) Download a new port skeleton for the thttpd port from:

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.

Path                                                             Revision
- -------------------------------------------------------------------------
ports/www/thttpd/Makefile                                            1.23
ports/www/thttpd/distinfo                                            1.20
ports/www/thttpd/files/patch-fdwatch.c                            removed
- -------------------------------------------------------------------------

VII. References



This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at

To Unsubscribe: send mail to majordomo at
with "unsubscribe freebsd-announce" in the body of the message

More information about the freebsd-announce mailing list