Is "mini-httpd" a secure web server?

Update: As pointed out by Moti Korets here, my answer relates to "Vector Ultra Mini Httpd", not "ACME mini_httpd" that I now realise was being asked for by the OP.

Vector Ultra Mini Httpd

No it is not secure.

Even the latest version, v1.21 suffers from a serious stack based buffer overflow meaning that a remote attacker can gain control of your system. CVE here.

ACME mini_httpd

See jimis excellent answer here.


I would not rely on the obscurity of mini_httpd to improve security.

As mentioned in SilverlightFox's answer, there is an outstanding vulnerability. I am surprised that there are not further issues - it could be that people just haven't tested.

To me, as an embedded systems pen-tester, mini_httpd is a red flag. If I see this in the headers, there will nearly always be a vulnerability somewhere else. This is of course anecdotal, but I have seen a very strong correlation.

I would stick with a more well-known and tested daemon.

lighttpd is still relatively lightweight, and they are responsive to security reports. It would be a good choice if you are hoping to host rich, interactive content.

yaSSL by wolfSSL is a security-driven HTTP daemon that is worth looking at. It is very lightweight, and they provide pay-for support if required.

nginx has also become feasible for larger embedded systems in recent years.


I don't have the privilege to comment on SilverlightFox's answer, so I'll mention here that the linked CVE is about "Ultra mini httpd" which is a Windows HTTP server, possibly different to ACME mini_httpd.

And while mini_httpd seems unmaintained, the Debian developers are doing a good job maintaining it. You might want to check the package page, specifically the debian package source.

In that tarball you'll find the "changelog" file which mentions some bugs and one CVE, so you can apply the patches from the "patches" subdirectory. Or use the maintained Debian package.

I believe you are well covered then, and mini-httpd should be secure enough.

Tags:

Webserver