BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2018-009: bozohttpd can allow access to .htpasswd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		 NetBSD Security Advisory 2018-009
		 =================================

Topic:	bozohttpd can allow access to .htpasswd

Version:	NetBSD-current:		prior to 2018-11-22
		NetBSD 8*:		affected
		NetBSD 7.2*:		affected
		NetBSD 7.1*:		affected
		pkgsrc:			bozohttpd package prior to 20181123

Severity:	Remote access to encrypted passwords and usernames

Fixed:		NetBSD-current:		November 21, 2018
		NetBSD-8 branch:	November 24, 2018
		NetBSD-7-2 branch:	November 24, 2018
		NetBSD-7-1 branch:	November 24, 2018
		pkgsrc-current:		bozohttpd-20181123 corrects this issue

Please note that NetBSD releases prior to 7.1 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

Under certain circumstances bozohttpd(8) can be tricked into revealing
the contents of certain special files.  These special files are
configuration files for bozohttpd(8) and include the standard .htpasswd
file for HTTP Basic Authorisation (RFC-7617), which contains both a
list of user names and their encrypted passwords.

Technical Details
=================

There were two problems in the handling of bozohttpd special files.  The
first was a missing check against .htpasswd itself in some cases, which
would allow access to the encrypted passwords and username to be seen for
the top-level directory.  Any empty top-level directory name elided the
check for any special files.  All requests now check special files.

The second was lack of short circuit when the error was detected.  The
error would be returned, but instead of closing the connection, the
contents of the requested file was also returned.  This was caused by
not checking the return value of bozo_check_special_files().  This
function is now marked with the "warn_unused_result" attribute.

Solutions and Workarounds
=========================

Users of any bozohttpd(8) features using special files should be upgraded
to bozohttpd 20181123 or later.  There is no workaround except for not
using these features, which may mean simply disabling parts of the served
tree until the server is upgraded.  Consider changing all the passwords used
in the .htpasswd as they may be compromised.

To apply a fixed version from a releng build, fetch a fitting base.tgz
from nyftp.netbsd.org and extract the fixed binaries:

cd /var/tmp
ftp http://nyftp.netbsd.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz
cd /
tar xzpf /var/tmp/base.tgz ./usr/libexec/httpd

with the following replacements:
REL   = the release version you are using
BUILD = the source date of the build. 20181125* and later will fit
ARCH  = your system's architecture


The following instructions describe how to upgrade your bozohttpd
binaries by updating your source tree and rebuilding and installing
a new version of bozohttpd.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2018-11-21
	should be upgraded to NetBSD-current dated 2018-11-22 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/libexec/httpd

	To update from CVS, re-build, and re-install bozohttpd:
		# cd src
		# cvs update -r netbsd-8 -d -P src/libexec/httpd
		# cd src/libexec/httpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 8.*:

	Systems running NetBSD 8.* sources dated from before
	2018-11-24 should be upgraded from NetBSD 8.* sources dated
	2018-11-25 or later.

	The following files/directories need to be updated from the
	netbsd-8 branche:
		src/libexec/httpd

	To update from CVS, re-build, and re-install bozohttpd:

		# cd src
		# cvs update -r netbsd-8 -d -P src/libexec/httpd
		# cd src/libexec/httpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 7.*:

	Systems running NetBSD 7.* sources dated from before
	2018-11-24 should be upgraded from NetBSD 7.* sources dated
	2018-11-25 or later.

	The following files/directories need to be updated from the
	netbsd-7, netbsd-7-2 or netbsd-7-1 branches:
		src/libexec/httpd

	To update from CVS, re-build, and re-install bozohttpd:

		# cd src
		# cvs update -r <branch_name> -d -P src/libexec/httpd
		# cd src/libexec/httpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

Thanks To
=========

Thanks to JP for reporting this issue and helping find the problematic code.
Thanks to Matthew Green for fixing this and other DoS issues reported by JP.

Revision History
================

	2018-12-11	Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-009.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2018, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJcD89UAAoJEAZJc6xMSnBuYZkP/2+xBFItowBMvEPuoJhwE6rH
MRa/K+IqDRkJwJXvcbDXBVthXWVCFieYQYCxTz4rSeVPS1wBI81k7P6p2Bh9IwIh
JcespXvf111gAp6BlHRju2WJ9dYMsw1E6HjWA2C4SvZ6+wdo3gVgxyoX2nL2P7cb
jwFOiCDDKqUFvL0NRB2fF1lqQM5y/AW2uFqeGXn7PgwZBnNg7GBH5Ar7Hxe16cGo
BaI+O37jkjziY9Fle5FY0EndWtmk8BKIDX9oHy+ONWp791ZY7uLBfLCoW3bUGcLY
cqp65J+xSGH0vsY9zRsdIVw9GHdpTgSYuOR3dNCaZpgbp2wheA5anppZ/NU/q+5c
rDxhB3zsvuMuOvPoJJcDXq9Xok0akYBDRgHMqNU4a04ukKwL6DKzk0NRCF/df36h
o7za3nX2UYm4i99arBACEIF9KUNl3dBZIMAS4AamodiSq5dVqIcxF4mcIVN0niFn
u3NE+q1Lliu7BLcpuBucVS/FHeue9QIGUI/UFuZs+8Yzeo6AZ63GM4Sh4RD3q2CB
wtADslVdHfdSPWTVL90jaIJ/5iQEunaXO9uGw5SUyVD55RgZgBNcO58/187Za1Ew
W5sRyFrFpvhOfygG4wHmbzhznO8VQzUSLYouURiIypjrf2lNIAECqHEftRkLtMP5
7AeODQcaUWVTvVDvx/rC
=pB3q
-----END PGP SIGNATURE-----