CVE-2014-5015
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.0
Description
bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
{Vendor advisory: security@debian.org โ ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc}
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| freebsd | 5.1 | affected | |
| freebsd | 5.2 | affected | |
| freebsd | 6.0 | affected | |
| freebsd | 6.1 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| eterna | bozohttpd | {"endIncluding":"20140201"} | |
| eterna | bozohttpd | 19990519 | |
| eterna | bozohttpd | 20000421 | |
| eterna | bozohttpd | 20000426 | |
| eterna | bozohttpd | 20000427 | |
| eterna | bozohttpd | 20000815 | |
| eterna | bozohttpd | 20000825 | |
| eterna | bozohttpd | 20010610 | |
| eterna | bozohttpd | 20010812 | |
| eterna | bozohttpd | 20010922 | |
| eterna | bozohttpd | 20020710 | |
| eterna | bozohttpd | 20020730 | |
| eterna | bozohttpd | 20020803 | |
| eterna | bozohttpd | 20020804 | |
| eterna | bozohttpd | 20020823 | |
| eterna | bozohttpd | 20020913 | |
| eterna | bozohttpd | 20021106 | |
| eterna | bozohttpd | 20030313 | |
| eterna | bozohttpd | 20030409 | |
| eterna | bozohttpd | 20030626 | |
| eterna | bozohttpd | 20031005 | |
| eterna | bozohttpd | 20040218 | |
| eterna | bozohttpd | 20040808 | |
| eterna | bozohttpd | 20050410 | |
| eterna | bozohttpd | 20060517 | |
| eterna | bozohttpd | 20060710 | |
| eterna | bozohttpd | 20080303 | |
| eterna | bozohttpd | 20090417 | |
| eterna | bozohttpd | 20090522 | |
| eterna | bozohttpd | 20100509 | |
| eterna | bozohttpd | 20100512 | |
| eterna | bozohttpd | 20100617 | |
| eterna | bozohttpd | 20100621 | |
| eterna | bozohttpd | 20100920 | |
| eterna | bozohttpd | 20111118 | |
| eterna | bozohttpd | 20140102 | |
References
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc
- http://seclists.org/oss-sec/2014/q3/180
- http://www.eterna.com.au/bozohttpd/
- http://www.eterna.com.au/bozohttpd/CHANGES
- http://www.osvdb.org/109283
- http://www.securityfocus.com/bid/68752
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94751
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc
- http://seclists.org/oss-sec/2014/q3/180
- http://www.eterna.com.au/bozohttpd/
- http://www.eterna.com.au/bozohttpd/CHANGES
- http://www.osvdb.org/109283
- http://www.securityfocus.com/bid/68752
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94751
CWEs
CWE-264
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.