thttpd defang function buffer overflow

thttpd-defang-bo (13530) The risk level is classified as HighHigh Risk

Description:

thttpd is vulnerable to a buffer overflow in the defang function in the libhttpd.c file. A remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system.


Consequences:

Gain Access

Remedy:

For thttpd:
Upgrade to the latest version of thttpd (2.24 or later), available from the thttpd Web page. See References.

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest thttpd package (2.21b-11.2 or later), as listed in DSA-396-1. See References.

For SuSE Linux:
Upgrade to the latest thttpd package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2003:044 for more information. See References..

SuSE Linux 9.0 (Intel): thttpd-2.23beta1-165 or later.
SuSE Linux 8.2 (Intel): thttpd-2.23beta1-164 or later
SuSE Linux 8.1 (Intel): thttpd-2.23beta1-163 or later
SuSE Linux 8.0 (Intel): thttpd-2.20c-98 or later
SuSE Linux 7.3 (Intel): thttpd-2.20b-175 or later
SuSE Linux 7.3 (PPC): thttpd-2.20b-112 or later.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • BugTraq Mailing List, Mon Oct 27 2003 - 14:33:47 CST : Remote overflow in thttpd.
  • thttpd Web page: thttpd.
  • BID-8906: thttpd defang Remote Buffer Overflow Vulnerability
  • CVE-2003-0899: Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via requests that contain '<' or '>' characters, which trigger the overflow when the characters are expanded to < and > sequences.
  • DSA-396: thttpd -- missing input sanitizing
  • SA10092: thttpd "defang()" Buffer Overflow Vulnerability
  • SUSE-SA:2003:044: thttpd: remote privilege escalation/information leak

Platforms Affected:

  • ACME thttpd 2.21 - 2.23b1
  • Debian Debian Linux 3.0
  • SUSE SuSE Linux 7.3
  • SUSE SuSE Linux 8.0
  • SUSE SuSE Linux 8.1
  • SUSE SuSE Linux 8.2
  • SUSE SuSE Linux 9.0

Reported:

Oct 27, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page