httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41279] New: - Apache 1.3.37 htpasswd is vulnerable to buffer overflow vulnerability
Date Tue, 02 Jan 2007 20:13:32 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41279>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41279

           Summary: Apache 1.3.37 htpasswd is vulnerable to buffer overflow
                    vulnerability
           Product: Apache httpd-1.3
           Version: HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Other
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: gnuler@gmail.com
                CC: gnuler@gmail.com


Synopsis: Apache 1.3.37 htpasswd buffer overflow vulnerability
Version: 1.3.37 (latest 1.3.xx)

Product
=======
Apache htpasswd utility


Issue
=====
A buffer overflow vilnerability has been found, it is dangerous only on
environment where the binary is suid root.

Details
=======
Incorrect validation on the size of user input allows to copy a string, via
strcpy, to a fixed size buffer.
File: htpasswd.c, Line 421.

Solution
========
Apply this patch to htpasswd.c

-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<--

  415,419c415,420
  <       if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
  <           fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
  <                   (unsigned long)(sizeof(user) - 1));
  <           return ERR_OVERFLOW;
  <       }
  ---
  >     }
  >     if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
  >       fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
  >       (unsigned long)(sizeof(user) - 1));
  >       return ERR_OVERFLOW;
  >
--->8----->8----->8----->8----->8----->8----->8----->8----->8----->8----->8-----

Affected Versions
==================
1.3.37 - http://www.apache.org/dist/httpd/apache_1.3.37.tar.gz

Notes & References
==================
Another similar bug was discovered by Luiz Fernando [1], Larry Cashdollar's
patch also fixed the bug i'm posting, but it seems not to be applied on the
latest versions of apache 1.3.xx.

Michael Engert submitted another patch[1] which also fixed this bug and filled
out a bug report [1], but it wasn't applied.

Have a look at Other posts[3][4] on this (and similar) issues.

1 - http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html
2 - http://issues.apache.org/bugzilla/show_bug.cgi?id=31975
3 - http://seclists.org/bugtraq/2004/Oct/0359.html
4 - http://www.security-express.com/archives/fulldisclosure/2004-10/1117.html


Credits
=======
Matias S. Soler - gnuler [at] gmail [dot] com
Luiz Fernando
Michael Engert

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message