httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erlend Midttun <Erlend.Midt...@logina.idb.hist.no>
Subject Bufferoverflow
Date Sat, 30 Sep 1995 22:17:51 GMT
-----BEGIN PGP SIGNED MESSAGE-----

Hello, 

I picked this from comp.security.unix concerning the NCSA httpd.
It appares that the very same code is present in Apache 0.8.14.
If you have made improvements that eliminates this "feature" or that 
it turns out not to be a concern, please forgive me for wasting your time.

##########################################################################

- From khsu@wam.umd.edu Wed Sep 27 12:32:54 1995
Path: astfgl.idb.hist.no!nntp-trd.UNINETT.no!sunic!sunic.sunet.se!news.uni-c.dk!dkuug!icl.icl.dk!sw0198!news.icl.fi!news.eunet.fi!news.funet.fi!news.kolumbus.fi!news.sprintlink.net!howland.reston.ans.net!nntp.crl.com!decwrl!purdue!haven.umd.edu!cville-srv.wam.umd.edu!khsu
From: khsu@wam.umd.edu (Kevin Hsu)
Newsgroups: comp.security.unix
Subject: Hmmm... I think I may have found something...
Date: 25 Sep 1995 17:19:21 GMT
Organization: University of Maryland, College Park
Lines: 58
Message-ID: <446oap$3r0@cville-srv.wam.umd.edu>
NNTP-Posting-Host: rac10.wam.umd.edu


Security gurus:

   I was looking through NCSA HTTPD's C source and found something fishy in
/cgi-src/query.c and /cgi-src/util.c:

###QUERY.C###

typedef struct {
    char name[128];
    char val[128];
} entry;

...

    for(x=0;cl[0] != '\0';x++) {
        m=x;
        getword(entries[x].val,cl,'&');
        plustospace(entries[x].val);
        unescape_url(entries[x].val);
        getword(entries[x].name,entries[x].val,'=');
    }
...

###UTIL.C###

void getword(char *word, char *line, char stop) {
    int x = 0,y;

    for(x=0;((line[x]) && (line[x] != stop));x++)
        word[x] = line[x];

    word[x] = '\0';
    if(line[x]) ++x;
    y=0;

    while(line[y++] = line[x++]);
}

...




###########################################################

Is it me, or does this code suffer the same problem that the finger daemon
suffered years ago? Can't someone overwrite the program's text and stack with
their own? Or am I just naive?

Please respond...I'd like to know if I'm just rehashing a well-known hole
or missing something obvious.


Kevin Hsu
Software Engineering Manager
Proxima, Inc.


###

Erlend..
- -- 
Erlend Midttun                 erlendbm@colargol.stud.idb.hist.no
IRC:   Golle
http://colargol.idb.hist.no/~erlendbm/               A Linux User
        inews: signature too long.  Article not posted.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQEVAgUBMG1DeOiWtdu6znSNAQH3swgApDmSXmEWCHETGerIzuDu+dSYNZ+A0pKg
ipYTmNhIWRDAmkqIkPgUz0nvZH2RKb+n9hMOmbroUDshxgStarF3rg6Ub22HDg36
l6A0Y3y/exRTCor6asn386BMksDPhUhfOj5gkPMV9jWA6wR7x4Maw7TUtGbHZgSZ
BHjxcFd46bu8pBEEM1GZEW8Th22GQs1IuYgR/KGFCUUdzxosv8TV3TALx4IrfJoE
AYssALHwTwEvXIlbVyFNNuPSOR8Dh1j1wO/qoNmXkK5nkHlsknCJrd5uB0Pdt1EF
PmBPbC2xNPBYF2Qpl7wJ0lOIh3ja3da3+K22/QOfOlCrQTBEfEovfg==
=jsSa
-----END PGP SIGNATURE-----


Mime
View raw message