Bug 183825

Summary:	www-servers/shttpd <= 1.38 script source disclosure (CVE-2007-3407)
Product:	Gentoo Security	Reporter:	Pierre-Yves Rofes (RETIRED) <py>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	trivial	CC:	www-servers+disabled
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/25809/
Whiteboard:	~4 [upstream] p-y
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	173888

Description Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-07-01 12:10:13 UTC

Shay priel has reported a vulnerability in SHTTPD, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error within the handling of HTTP requests and can be exploited to disclose the source code of certain scripts (e.g. PHP) by appending e.g. "%20" to an URI.

The vulnerability is reported in version 1.38. Other versions may also be affected.

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-07-01 12:11:23 UTC

setting status and cc'ing herd.

Comment 2 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev

2007-08-27 20:29:58 UTC

from
http://sourceforge.net/mailarchive/forum.php?thread_name=72c3a9570706292333s57be3b44x8cca9849e37561c6%40mail.gmail.com&forum_name=shttpd-general

> I have tried on my UNIX stations here, shttpd shows 404 error,
> as it should be. May be it is windows-specific ?
> Unfortunately I do not have any Windows atm to play.

Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-09-24 19:42:05 UTC

tried it with 1.38 and 1.35, the PoC doesn't work and it serves 404 as expected. closing as invalid. feel free to reopen if this PoC actually works for you on a Gentoo platform.