 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.51479 |
| Category: | Conectiva Local Security Checks |
| Title: | Conectiva Security Advisory CLA-2003:777 |
| Summary: | NOSUMMARY |
| Description: | Description: The remote host is missing updates announced in advisory CLA-2003:777. thttpd is a very simple and compact HTTP server. The thttpd package distributed with Conectiva Linux 9 (thttpd-2.20c-22870cl) contains several bugs[1] that prevent it from being useful. This update fixes these bugs and the following security vulnerabilities that affect thttpd 2.20c (descriptions borrowed from the respectives CVE pages): - Sensitive files disclosure vulnerability[2] (CVE-2001-0892) With the chroot option enabled, thttpd allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing '/.'. - Cross-site scripting vulnerability[3] (CVE-2002-0733) thttpd allows remote attackers to execute arbitrary scripts via a URL to a nonexistent page, which causes thttpd to insert the script into a 404 error message. - Directory traversal vulnerability[4] (CVE-2002-1562) When using virtual hosting, thttpd allows remote attackers to read arbitrary files via '..' (dot dot) sequences in the 'Host:' header. The thttpd package has been updated to the 2.24 version, the latest stable one available at this time. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://bugzilla.conectiva.com.br/show_bug.cgi?id=9653 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0892 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1562 http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:777 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003 Risk factor : High CVSS Score: 7.5 |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2001-0892 Bugtraq: 20011113 Cgisecurity.com Advisory #6: thttpd and mini_http Permission bypass vuln (Google Search) http://marc.info/?l=bugtraq&m=100568999726036&w=2 Common Vulnerability Exposure (CVE) ID: CVE-2002-0733 BugTraq ID: 4601 http://www.securityfocus.com/bid/4601 http://www.ifrance.com/kitetoua/tuto/5holes1.txt http://www.osvdb.org/5125 http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0155.html http://www.iss.net/security_center/static/9029.php Common Vulnerability Exposure (CVE) ID: CVE-2002-1562 Conectiva Linux advisory: CLA-2003:777 http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000777 Debian Security Information: DSA-396 (Google Search) https://www.debian.org/security/2003/dsa-396 SuSE Security Announcement: SuSE-SA:2003:044 (Google Search) |
| Copyright | Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |