thttp v2.20c and below contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate Script variables upon submission of the URL. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Upgrade to version 2.24 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2002-0733 (see also: NVD)
• Exploit Database: 21422
• Bugtraq ID: 4601
• ISS X-Force ID: 9029
• Vendor Specific Solution URL: ftp://atualizacoes.conectiva.com.br/9/RPMS/thttpd-2.24-22871U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/thttpd-htpasswd-2.24-22871U90_1cl.i386.rpm
• Mail List Post: http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0155.html
• Vendor URL: http://www.acme.com/software/thttpd/
• Vendor Specific News/Changelog Entry: http://www.acme.com/software/thttpd/#releasenotes
• Other Advisory URL: http://www.ifrance.com/kitetoua/tuto/5holes1.txt

• Frog Man - leseulfroghotmail.com - PHP Secure