darkhttpd before 1.15 uses strcmp (which is not constant time) to verify authentication, which makes it easier for remote attackers to bypass authentication via a timing side channel.
The strcmp() function compares strings and terminates immediately after encountering the first difference between compared characters. The execution time of this function is therefore dependent on the number of matching characters at the beginning of the compared strings. An attacker can measure the server response time for successive authentication attempts, gradually guessing the correct password character by character (timing side channel). Such an attack does not require brute-forcing the entire password space, but only sequential discovery of each character individually.
An attacker can bypass the HTTP server authentication mechanism and gain unauthorized access to password-protected resources, leading to complete compromise of confidentiality, integrity, and availability of the served data.
Update darkhttpd to version 1.15 or newer. The fix is available in commit f477619d49f3c4de9ad59bd194265a48ddc03f04 in the project repository on GitHub, which replaces the strcmp() function with a constant-time string comparison function.
darkhttpd (Unix4Lyfe) in versions before 1.15
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HUnix4lyfe Darkhttpd
APPUnix4Lyfe< 1.15
Related vulnerabilities
A flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by ac...
darkhttpd through 1.15 allows local users to discover credentials (for --auth) by listing processes and their ...