Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 128165

Summary: www-servers/thttpd: htpasswd Arbitrary Privileged Command Execution (CAN-2006-1354)
Product: Gentoo Security Reporter: Eduardo Tongson <propolice>
Component: VulnerabilitiesAssignee: www-servers Herd (OBSOLETE) <www-servers+disabled>
Status: RESOLVED FIXED    
Severity: normal CC: bangert
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://archives.neohapsis.com/archives/bugtraq/2006-02/0663.html
Whiteboard:
Package list:
Runtime testing required: ---
Attachments:
Description Flags
htpasswdc_temporaryfix.patch none

Description Eduardo Tongson 2006-03-30 13:23:51 UTC 
thttpd contains a flaw that may allow a malicious local user to execute privileged commands. The issue is triggered when a user calls the 'htpasswd' utility but supplies arbitrary commands along with a username to be added to a password file. It is possible that the flaw may allow the user to bypass the required authentication and execute arbitrary programs with privileged access.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-1079
http://marc.theaimsgroup.com/?l=thttpd&m=114153031201867&w=2
http://www.osvdb.org/23828

* Waiting for upstream developer to publish a new/fixed version
* attached a temporary fix (additional input validation)
Comment 1 Eduardo Tongson 2006-03-30 13:25:45 UTC 
Created attachment 83458 [details, diff]
htpasswdc_temporaryfix.patch

attached the temporary fix
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2006-03-30 13:31:04 UTC 
reassigning to www-servers, this is clearly not a security issue.
Comment 3 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2007-02-28 22:49:01 UTC 
now in version 2.25b-r7 - please test.