Message-Id: From: Erlend Midttun Subject: Bufferoverflow To: apache-bugs@apache.org Date: Sat, 30 Sep 1995 23:17:51 +0100 (MET) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 2809 -----BEGIN PGP SIGNED MESSAGE----- Hello, I picked this from comp.security.unix concerning the NCSA httpd. It appares that the very same code is present in Apache 0.8.14. If you have made improvements that eliminates this "feature" or that it turns out not to be a concern, please forgive me for wasting your time. ########################################################################## - From khsu@wam.umd.edu Wed Sep 27 12:32:54 1995 Path: astfgl.idb.hist.no!nntp-trd.UNINETT.no!sunic!sunic.sunet.se!news.uni-c.dk!dkuug!icl.icl.dk!sw0198!news.icl.fi!news.eunet.fi!news.funet.fi!news.kolumbus.fi!news.sprintlink.net!howland.reston.ans.net!nntp.crl.com!decwrl!purdue!haven.umd.edu!cville-srv.wam.umd.edu!khsu From: khsu@wam.umd.edu (Kevin Hsu) Newsgroups: comp.security.unix Subject: Hmmm... I think I may have found something... Date: 25 Sep 1995 17:19:21 GMT Organization: University of Maryland, College Park Lines: 58 Message-ID: <446oap$3r0@cville-srv.wam.umd.edu> NNTP-Posting-Host: rac10.wam.umd.edu Security gurus: I was looking through NCSA HTTPD's C source and found something fishy in /cgi-src/query.c and /cgi-src/util.c: ###QUERY.C### typedef struct { char name[128]; char val[128]; } entry; ... for(x=0;cl[0] != '\0';x++) { m=x; getword(entries[x].val,cl,'&'); plustospace(entries[x].val); unescape_url(entries[x].val); getword(entries[x].name,entries[x].val,'='); } ... ###UTIL.C### void getword(char *word, char *line, char stop) { int x = 0,y; for(x=0;((line[x]) && (line[x] != stop));x++) word[x] = line[x]; word[x] = '\0'; if(line[x]) ++x; y=0; while(line[y++] = line[x++]); } ... ########################################################### Is it me, or does this code suffer the same problem that the finger daemon suffered years ago? Can't someone overwrite the program's text and stack with their own? Or am I just naive? Please respond...I'd like to know if I'm just rehashing a well-known hole or missing something obvious. Kevin Hsu Software Engineering Manager Proxima, Inc. ### Erlend.. - -- Erlend Midttun erlendbm@colargol.stud.idb.hist.no IRC: Golle http://colargol.idb.hist.no/~erlendbm/ A Linux User inews: signature too long. Article not posted. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAgUBMG1DeOiWtdu6znSNAQH3swgApDmSXmEWCHETGerIzuDu+dSYNZ+A0pKg ipYTmNhIWRDAmkqIkPgUz0nvZH2RKb+n9hMOmbroUDshxgStarF3rg6Ub22HDg36 l6A0Y3y/exRTCor6asn386BMksDPhUhfOj5gkPMV9jWA6wR7x4Maw7TUtGbHZgSZ BHjxcFd46bu8pBEEM1GZEW8Th22GQs1IuYgR/KGFCUUdzxosv8TV3TALx4IrfJoE AYssALHwTwEvXIlbVyFNNuPSOR8Dh1j1wO/qoNmXkK5nkHlsknCJrd5uB0Pdt1EF PmBPbC2xNPBYF2Qpl7wJ0lOIh3ja3da3+K22/QOfOlCrQTBEfEovfg== =jsSa -----END PGP SIGNATURE-----