httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <and...@www.elsevier.co.uk>
Subject Re: ANOTHER hole in NCSA httpd1.3R
Date Wed, 12 Apr 1995 14:11:41 GMT

Do we have answers to these questions yet?  Do we want to make
a sweep through the code to try and get all the strcpy and sprintf's
knocked out?

Ay.

> From owner-www-security@ns2.rutgers.edu Wed Apr 12 13:58:52 1995
> Date: Tue, 11 Apr 1995 23:49:39 -0700
> From: Paul Phillips <paulp@cerf.net>
> Newsgroups: comp.infosystems.www.providers,comp.security.unix
> Subject: ANOTHER hole in NCSA httpd1.3R
> Organization: http://www.primus.com/staff/paulp/useless.html
> Cc: bugtraq@fc.net, www-security@ns1.rutgers.edu
> Sender: owner-www-security@ns2.Rutgers.EDU
> Content-Length: 468
> 
> Looks like I posted too fast, I just found another hole in httpd.
> 
> In http_access.c, function evalute_access:
> 
>     if(S_ISDIR(finfo->st_mode)) strcpy_dir(path,p);
>     else strcpy(path,p);
> 
> The second strcpy is copying a filename (again, potentially 8192 characters)
> into a local buffer (256 characters.)
> 
> Some scary info:
> 
> {nic} grep strcpy *.c | wc -l
>     123
> {nic} grep sprintf *.c |wc -l
>      51
> 
> There are more holes here, folks.
> 
> --
> Paul Phillips
> paulp@cerf.net
> 
> 

Mime
View raw message