httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules (fwd)
Date Fri, 05 Sep 1997 15:54:33 GMT
...and my response.

---------- Forwarded message ----------
Date: Fri, 5 Sep 1997 09:53:28 -0600 (MDT)
From: Marc Slemko <>
To: Matt Conover <shok@COBRA.ONLINEX.NET>
Subject: Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules

On Thu, 4 Sep 1997, Matt Conover wrote:

> Hello (sorry if this gets long or if it's known but I don't think it is):
> Well this is an obvious overflow in one of apache's modules; it is
> remote too.....however, luckily for the web admin's it's not installed
> by default. The problem is in mod_auth_anon.c in the function
> anon_authenticate_basic_user(). It contains the following lines:
> char errstr[MAX_STRING_LEN];
> [...]
>     if (sec->auth_anon_logemail) {
>         sprintf(errstr,"Anonymous: Passwd <%s> Accepted",
>                         send_pw ? send_pw : "\'none\'");
> [...]
>     } else {
>         if (sec->auth_anon_authorative) {
>         sprintf(errstr,"Anonymous: Authorative, Passwd <%s> not accepted",
>                 send_pw ? send_pw : "\'none\'");
> [...]

Yes, that is correct.  It is bad code.  You will note, however that input
lines are limited to MAX_STRING_LEN as well (couldn't be HUGE_STRING_LEN,
but they are the same) so you would have trouble inputting a password long
enough to cause problems.  There is a _LOT_ of code in Apache 1.1 that
works on this tacit assumption.  That is a bad thing, but most of it is
not exploitable.

In Apache 1.2, a full review of the source was done, and hundreds of
possible buffer overflows were fixed; very few could cause any real
damange.  We added our own ap_snprintf() (borrowed from other code) and
changed nearly every sprintf to ap_snprintf in addition to fixing other
possible overflows.

     Marc Slemko     | Apache team member  |

View raw message