CVE-2014-5015

Eterna Bozohttpd < 20140201 - Access Control

Title source: rule

Description

bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.

References (7)

[Vendor Advisory] ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc

[Mailing List] http://seclists.org/oss-sec/2014/q3/180

[Patch] http://www.eterna.com.au/bozohttpd/

[Various Sources] http://www.eterna.com.au/bozohttpd/CHANGES

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/94751

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/68752

[Third Party Advisory, VDB Entry] http://www.osvdb.org/109283

Scores

EPSS 0.0057

EPSS Percentile 68.3%

Classification

CWE

CWE-264

Status draft

Affected Products (40)

eterna/bozohttpd < 20140201

eterna/bozohttpd

... and 25 more

Timeline

Published Jul 24, 2014

Tracked Since Feb 18, 2026