NetBSD Security Advisory 2018-009: bozohttpd can allow access to .htpasswd
12 December, 2018 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2018-009 ================================= Topic: bozohttpd can allow access to .htpasswd Version: NetBSD-current: prior to 2018-11-22 NetBSD 8*: affected NetBSD 7.2*: affected NetBSD 7.1*: affected pkgsrc: bozohttpd package prior to 20181123 Severity: Remote access to encrypted passwords and usernames Fixed: NetBSD-current: November 21, 2018 NetBSD-8 branch: November 24, 2018 NetBSD-7-2 branch: November 24, 2018 NetBSD-7-1 branch: November 24, 2018 pkgsrc-current: bozohttpd-20181123 corrects this issue Please note that NetBSD releases prior to 7.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Under certain circumstances bozohttpd(8) can be tricked into revealing the contents of certain special files. These special files are configuration files for bozohttpd(8) and include the standard .htpasswd file for HTTP Basic Authorisation (RFC-7617), which contains both a list of user names and their encrypted passwords. Technical Details ================= There were two problems in the handling of bozohttpd special files. The first was a missing check against .htpasswd itself in some cases, which would allow access to the encrypted passwords and username to be seen for the top-level directory. Any empty top-level directory name elided the check for any special files. All requests now check special files. The second was lack of short circuit when the error was detected. The error would be returned, but instead of closing the connection, the contents of the requested file was also returned. This was caused by not checking the return value of bozo_check_special_files(). This function is now marked with the "warn_unused_result" attribute. Solutions and Workarounds ========================= Users of any bozohttpd(8) features using special files should be upgraded to bozohttpd 20181123 or later. There is no workaround except for not using these features, which may mean simply disabling parts of the served tree until the server is upgraded. Consider changing all the passwords used in the .htpasswd as they may be compromised. To apply a fixed version from a releng build, fetch a fitting base.tgz from nyftp.netbsd.org and extract the fixed binaries: cd /var/tmp ftp http://nyftp.netbsd.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz cd / tar xzpf /var/tmp/base.tgz ./usr/libexec/httpd with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20181125* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your bozohttpd binaries by updating your source tree and rebuilding and installing a new version of bozohttpd. * NetBSD-current: Systems running NetBSD-current dated from before 2018-11-21 should be upgraded to NetBSD-current dated 2018-11-22 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/libexec/httpd To update from CVS, re-build, and re-install bozohttpd: # cd src # cvs update -r netbsd-8 -d -P src/libexec/httpd # cd src/libexec/httpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 8.*: Systems running NetBSD 8.* sources dated from before 2018-11-24 should be upgraded from NetBSD 8.* sources dated 2018-11-25 or later. The following files/directories need to be updated from the netbsd-8 branche: src/libexec/httpd To update from CVS, re-build, and re-install bozohttpd: # cd src # cvs update -r netbsd-8 -d -P src/libexec/httpd # cd src/libexec/httpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 7.*: Systems running NetBSD 7.* sources dated from before 2018-11-24 should be upgraded from NetBSD 7.* sources dated 2018-11-25 or later. The following files/directories need to be updated from the netbsd-7, netbsd-7-2 or netbsd-7-1 branches: src/libexec/httpd To update from CVS, re-build, and re-install bozohttpd: # cd src # cvs update -r <branch_name> -d -P src/libexec/httpd # cd src/libexec/httpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Thanks to JP for reporting this issue and helping find the problematic code. Thanks to Matthew Green for fixing this and other DoS issues reported by JP. Revision History ================ 2018-12-11 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJcD89UAAoJEAZJc6xMSnBuYZkP/2+xBFItowBMvEPuoJhwE6rH MRa/K+IqDRkJwJXvcbDXBVthXWVCFieYQYCxTz4rSeVPS1wBI81k7P6p2Bh9IwIh JcespXvf111gAp6BlHRju2WJ9dYMsw1E6HjWA2C4SvZ6+wdo3gVgxyoX2nL2P7cb jwFOiCDDKqUFvL0NRB2fF1lqQM5y/AW2uFqeGXn7PgwZBnNg7GBH5Ar7Hxe16cGo BaI+O37jkjziY9Fle5FY0EndWtmk8BKIDX9oHy+ONWp791ZY7uLBfLCoW3bUGcLY cqp65J+xSGH0vsY9zRsdIVw9GHdpTgSYuOR3dNCaZpgbp2wheA5anppZ/NU/q+5c rDxhB3zsvuMuOvPoJJcDXq9Xok0akYBDRgHMqNU4a04ukKwL6DKzk0NRCF/df36h o7za3nX2UYm4i99arBACEIF9KUNl3dBZIMAS4AamodiSq5dVqIcxF4mcIVN0niFn u3NE+q1Lliu7BLcpuBucVS/FHeue9QIGUI/UFuZs+8Yzeo6AZ63GM4Sh4RD3q2CB wtADslVdHfdSPWTVL90jaIJ/5iQEunaXO9uGw5SUyVD55RgZgBNcO58/187Za1Ew W5sRyFrFpvhOfygG4wHmbzhznO8VQzUSLYouURiIypjrf2lNIAECqHEftRkLtMP5 7AeODQcaUWVTvVDvx/rC =pB3q -----END PGP SIGNATURE-----