CVE-2018-18778
published 2018-10-29CVE-2018-18778: ACME mini_httpd before 1.30 lets remote users read arbitrary files.
PriorityP263medium6.5CVSS 3.0
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
74.04%
99.4th percentile
ACME mini_httpd before 1.30 lets remote users read arbitrary files.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acme | mini-httpd | < 1.30 | 1.30 |
| acme | mini-httpd | >= 0 < 1.30-0.1 | 1.30-0.1 |
| acme | mini-httpd | >= 0 < 1.30-0.1 | 1.30-0.1 |
| acme | mini-httpd | >= 0 < 1.30-0.1 | 1.30-0.1 |
| acme | mini-httpd | >= 0 < 1.30-0.1 | 1.30-0.1 |
| debian | mini-httpd | < mini-httpd 1.30-0.1 (bookworm) | mini-httpd 1.30-0.1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
path/etc/passwd
otherServer: mini_httpd
sigma
HTTP GET request matching path traversal to /etc/passwd with response containing root:.*:0:0: and status 200
- →Detect exploitation attempts by monitoring HTTP GET requests for absolute paths such as /etc/passwd directed at servers responding with 'Server: mini_httpd' in headers.
- →Fingerprint vulnerable mini_httpd instances via the Server response header value 'Server: mini_httpd'; versions prior to 1.30 are vulnerable.
- →Exploitation is triggered via HTTP GET requests with empty headers; monitor for malformed/empty Host header requests against mini_httpd servers. ↗
- →The vulnerability stems from the de_dotdot path sanitization algorithm failing to block absolute path traversal (e.g. /etc/passwd) — detect requests using root-anchored paths outside the web root. ↗
- →Shodan queries can identify exposed vulnerable instances: search for 'Server: mini_httpd' with HTTP 200 responses.
- ·The vulnerability is exploitable by remote (network) attackers despite the Debian tracker listing scope as 'local'; NVD and Ubuntu advisories confirm remote exploitation is possible. ↗
- ·The fix was introduced in mini_httpd version 1.30; all prior versions are vulnerable. Debian fixed it in package version 1.30-0.1. ↗
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
mini_httpd vulnerability
vendor_ubuntu·2021-03-15
CVE-2018-18778 mini_httpd vulnerability
Title: mini_httpd vulnerability
Summary: mini_httpd could be made to expose sensitive information over the
network.
It was discovered that ACME mini_httpd did not properly handle HTTP GET
requests with empty headers. A remote attacker could use this vulnerability
to read arbitrary files.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2018-18778: mini-httpd - ACME mini_httpd before 1.30 lets remote users read arbitrary files.
vendor_debian·2018·CVSS 6.5
CVE-2018-18778 [MEDIUM] CVE-2018-18778: mini-httpd - ACME mini_httpd before 1.30 lets remote users read arbitrary files.
ACME mini_httpd before 1.30 lets remote users read arbitrary files.
Scope: local
bookworm: resolved (fixed in 1.30-0.1)
bullseye: resolved (fixed in 1.30-0.1)
forky: resolved (fixed in 1.30-0.1)
sid: resolved (fixed in 1.30-0.1)
trixie: resolved (fixed in 1.30-0.1)
GHSA
GHSA-mqv7-r447-6j8x: ACME mini_httpd before 1
ghsa_unreviewed·2022-05-14
CVE-2018-18778 [MEDIUM] CWE-200 GHSA-mqv7-r447-6j8x: ACME mini_httpd before 1
ACME mini_httpd before 1.30 lets remote users read arbitrary files.
OSV
CVE-2018-18778: ACME mini_httpd before 1
osv·2018-10-29·CVSS 6.5
CVE-2018-18778 [MEDIUM] CVE-2018-18778: ACME mini_httpd before 1
ACME mini_httpd before 1.30 lets remote users read arbitrary files.
No detection rules found.
Nuclei
ACME mini_httpd <1.30 - Local File Inclusion
nuclei·CVSS 6.5
CVE-2018-18778 [MEDIUM] ACME mini_httpd <1.30 - Local File Inclusion
ACME mini_httpd <1.30 - Local File Inclusion
ACME mini_httpd before 1.30 is vulnerable to local file inclusion.
Template:
id: CVE-2018-18778
info:
name: ACME mini_httpd <1.30 - Local File Inclusion
author: DhiyaneshDK,dogasantos
severity: medium
description: ACME mini_httpd before 1.30 is vulnerable to local file inclusion.
impact: |
Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server.
remediation: |
Upgrade ACME mini_httpd to version 1.30 or later to mitigate this vulnerability.
reference:
- https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/
- http://www.acme.com/software/mini_httpd/
- https://nvd.nist.gov/vuln/detail/CVE-2018-18778
- https://github.com/0xT11/CVE-POC
- https://github.com/ARPSyndicate/cve
2018-10-29
Published