thttpd contains a flaw that may allow a malicious local user to execute privileged commands. The issue is triggered when a user calls the 'htpasswd' utility but supplies arbitrary commands along with a username to be added to a password file. It is possible that the flaw may allow the user to bypass the required authentication and execute arbitrary programs with privileged access. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-1079 http://marc.theaimsgroup.com/?l=thttpd&m=114153031201867&w=2 http://www.osvdb.org/23828 * Waiting for upstream developer to publish a new/fixed version * attached a temporary fix (additional input validation)
Created attachment 83458 [details, diff] htpasswdc_temporaryfix.patch attached the temporary fix
reassigning to www-servers, this is clearly not a security issue.
now in version 2.25b-r7 - please test.