CVE-2007-0158
https://notcve.org/view.php?id=CVE-2007-0158
thttpd 2007 has buffer underflow. thttpd versión 2007, tiene un desbordamiento de búfer. • http://taviso.decsystem.org/research.t2t • CWE-787: Out-of-bounds Write •
CVE-2012-5640
https://notcve.org/view.php?id=CVE-2012-5640
thttpd has a local DoS vulnerability via specially-crafted .htpasswd files thttpd, presenta una vulnerabilidad de tipo DoS local por medio de archivos .htpasswd especialmente diseñados. • http://www.openwall.com/lists/oss-security/2012/12/15/1 https://access.redhat.com/security/cve/cve-2012-5640 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5640 https://security-tracker.debian.org/tracker/CVE-2012-5640 • CWE-476: NULL Pointer Dereference •
CVE-2017-17663
https://notcve.org/view.php?id=CVE-2017-17663
The htpasswd implementation of mini_httpd before v1.28 and of thttpd before v2.28 is affected by a buffer overflow that can be exploited remotely to perform code execution. La implementación htpasswd de mini_httpd, en versiones anteriores a la v1.28 y de thttpd, en versiones anteriores a la v2.28, se ha visto afectada por un desbordamiento de búfer que podría ser explotado de forma remota para ejecutar código. • http://acme.com/updates/archive/199.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2013-0348
https://notcve.org/view.php?id=CVE-2013-0348
thttpd.c in sthttpd before 2.26.4-r2 and thttpd 2.25b use world-readable permissions for /var/log/thttpd.log, which allows local users to obtain sensitive information by reading the file. thttpd.c en sthttpd antes de 2.26.4-r2 y httpd 2.25b usa permisos de lectura universales para / var / log / thttpd.log, lo que permite a usuarios locales obtener información sensible mediante la lectura del archivo. • http://lists.opensuse.org/opensuse-updates/2013-12/msg00050.html http://lists.opensuse.org/opensuse-updates/2014-01/msg00015.html http://opensource.dyc.edu/gitweb/?p=sthttpd.git%3Ba=commitdiff%3Bh=d2e186dbd58d274a0dea9b59357edc8498b5388d http://www.openwall.com/lists/oss-security/2013/02/23/7 https://bugs.gentoo.org/show_bug.cgi?id=458896 https://bugzilla.redhat.com/show_bug.cgi?id=924857 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-4491 – thttpd 2.24 - HTTP Request Escape Sequence Terminal Command Injection
https://notcve.org/view.php?id=CVE-2009-4491
thttpd 2.25b0 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. thttpd v2.25b0, escribe datos en un archivo de los sin depurar los caracteres no escribibles, lo que podría permitir a atacantes remotos modificar la ventana de título, o posiblemente ejecutar comandos de su elección o sobrescribir archivos, a través de una petición HTTP que contiene una secuencia de escape para el emulador de terminal. Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa are subject to log escape sequence injection vulnerabilities. • https://www.exploit-db.com/exploits/33499 http://packetstormsecurity.com/files/175949/m-privacy-TightGate-Pro-Code-Execution-Insecure-Permissions.html http://seclists.org/fulldisclosure/2023/Nov/13 http://www.securityfocus.com/archive/1/508830/100/0/threaded http://www.ush.it/team/ush/hack_httpd_escape/adv.txt • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •