Mini-httpd Information Disclosure Vulnerability


Description   (#A vulnerability has been identified in mini-httpd.#A remote attacker could exploit it in order to access to sensitive information from the memory process by sending a specially crafted request which contains a long protocol string.##This vulnerability is due to an incorrect response size calculation which leads to an out-of-bounds read.#Updated, 03/01/2016:#The mini_httpd packages provided by FreeBSD are vulnerable.)
     
Vulnerable Products   Vulnerable OS:
FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 6, 7
     
Solution   Version 1.23 of Mini_HTTPd fixes this vulnerability.
     
CVE   CVE-2015-1548
     
References   - itinsight : mini_httpd v1.21 information disclosure
http://itinsight.hu/en/posts/articles/2015-01-23-mini-httpd/
- Debian Security Tracker : mini-httpd
https://security-tracker.debian.org/tracker/CVE-2015-1548
- Acme : mini_httpd 1.23 released
http://acme.com/updates/archive/192.html
- VuXML : mini_httpd -- buffer overflow via snprintf
http://www.vuxml.org/freebsd/84dc49b0-b267-11e5-8a5b-00262d5ed8ee.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Invalid HTTP protocol
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-02-19 

 Target Type 
Server 

 Possible exploit 
Remote