Package: mini-httpd Version: 1.23-1.2 Severity: important Tags: patch The mini-httpd daemon (version <= v1.30) is affected by a response discrepancy information exposure (CWE-204) that allows a remote attacker to enumerate valid htpasswd usernames (RFC 7617).
Detailed advisory can be found at: https://speirofr.appspot.com/files/advisory/SPADV-2018-01.md ## Description Requesting an .htpasswd protected URL with valid username part without providing the corresponding password eg, "user:" per (RFC 7617) causes the mini-httpd to unexpectedly terminate. ~~~ user@box $ curl http://user@127.0.0.1:8000/auth/ curl: (52) Empty reply from server ~~~ The problem is that the mini_httpd.c:2407 contains a NULL pointer dereference bug that allows a remote attacker to enumerate valid htpasswd usernames (RFC 7617). ## Fix ~~~ >From 62eff179b34cd1435017438ab99ed1906b6cc6c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speir...@gmail.com> Date: Wed, 5 Dec 2018 18:46:46 +0100 Subject: [PATCH] Fix NULL pointer dereference at mini_httpd.c:2407 (SPADV-2018-01) --- mini_httpd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mini_httpd.c b/mini_httpd.c index 03d0cdd..77f030f 100644 --- a/mini_httpd.c +++ b/mini_httpd.c @@ -2404,7 +2404,8 @@ auth_check( char* dirname ) /* Yes. */ (void) fclose( fp ); /* So is the password right? */ - if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 ) + char *cryptpass = crypt( authpass, cryp ); + if ((cryptpass != NULL) && (strcmp(cryptpass, cryp ) == 0) ) { /* Ok! */ remoteuser = line; -- 2.11.0 ~~~ -- System information Versions of packages mini-httpd depends on: ii libc6 2.24-11+deb9u3 ii libssl1.1 1.1.0j-1~deb9u1 Versions of packages mini-httpd recommends: ii apache2-utils 2.4.25-3+deb9u6 mini-httpd suggests no packages. -- no debconf information