ACME mini_httpd arbitrary file read
Description
ACME mini_httpd is a lightweight web server designed for performance and minimal resource consumption. Versions prior to 1.30 contain a path traversal vulnerability (CVE-2018-18778) that allows remote attackers to bypass access controls and read arbitrary files from the server's filesystem. This vulnerability stems from improper validation of user-supplied input in file path handling, enabling attackers to use directory traversal sequences to access files outside the intended web root directory.
Remediation
Immediately upgrade ACME mini_httpd to version 1.30 or later, which contains a fix for this vulnerability. Follow these steps:<br/><br/>1. Download the latest version from the official ACME software repository<br/>2. Back up your current configuration files and web content<br/>3. Stop the running mini_httpd service<br/>4. Replace the existing binary with the updated version<br/>5. Verify the configuration is compatible with the new version<br/>6. Restart the mini_httpd service and test functionality<br/><br/>As an additional security measure, implement defense-in-depth controls such as running mini_httpd with minimal filesystem permissions, using chroot jails to restrict filesystem access, and deploying web application firewalls (WAF) to detect and block path traversal attempts. Review server logs for any indicators of exploitation attempts.