CVE-2024-23770

Vulnerability

darkhttpd versions up to and including 1.15 pass the --auth username:password credentials as command-line arguments, making them visible in the process list to any local user [1]. This affects all installations where the server is started with the --auth option. The commit history shows that the issue was acknowledged but not fixed in the code [3].

Exploitation

An attacker with local access to the system can run ps or similar process-listing tools to view the arguments of running processes, thereby obtaining the credentials supplied via --auth. No special privileges or user interaction are required beyond having a local user account on the same machine [2].

Impact

Successful exploitation results in the disclosure of HTTP basic authentication credentials. The attacker can then authenticate to the darkhttpd server as the authorized user, gaining access to protected resources served by the web server.

Mitigation

No code fix has been released for this vulnerability. The project's commit [3] adds a warning to the usage message stating that the password is visible in ps(1), but does not change the behavior. Users should avoid using --auth over unencrypted HTTP or consider alternative authentication mechanisms. As of the publication date, no patched version exists.