httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus Meissner <meiss...@suse.de>
Subject Re: CVE-2003-1418 - still affects apache 2 current
Date Thu, 01 Sep 2011 14:36:24 GMT
On Thu, Sep 01, 2011 at 03:30:57PM +0100, Nick Kew wrote:
> On Thu, 1 Sep 2011 14:39:11 +0200
> Marcus Meissner <meissner@suse.de> wrote:
> 
> > Hi,
> > 
> > CVE-2003-1418, a minor security issue, is still affecting the current codebase.
> > 
> > someone opened a tracker bug a year ago without feedback:
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
> 
> I've just hacked up a simple candidate patch.  Review?
> 
> (trunk patch - trivial offset when applied to 2.2.x)

This just md5s the inodenr, right?

If yes, this is just obfuscation if you do not add some kind of random salt.

(You can still just do
	for (i=0;i<...;i++) md5($i) 
and compare, including use of Rainbow Tables.)

Ciao, Marcus
 
> -- 
> Nick Kew

> Index: modules/http/http_etag.c
> ===================================================================
> --- modules/http/http_etag.c	(revision 1164053)
> +++ modules/http/http_etag.c	(working copy)
> @@ -26,6 +26,7 @@
>  #include "http_core.h"
>  #include "http_protocol.h"   /* For index_of_response().  Grump. */
>  #include "http_request.h"
> +#include "util_md5.h"
>  
>  /* Generate the human-readable hex representation of an apr_uint64_t
>   * (basically a faster version of 'sprintf("%llx")')
> @@ -50,6 +51,13 @@
>      *next++ = HEX_DIGITS[u & (apr_uint64_t)0xf];
>      return next;
>  }
> +static char *etag_uint64_to_md5(char *next, apr_uint64_t u, apr_pool_t *pool)
> +{
> +    char *digest = ap_md5_binary(pool, (unsigned char*)&u, sizeof(u));
> +    int len = strlen(digest);
> +    memcpy(next, digest, len);
> +    return next+len;
> +}
>  
>  #define ETAG_WEAK "W/"
>  #define CHARS_PER_UINT64 (sizeof(apr_uint64_t) * 2)
> @@ -114,7 +122,7 @@
>           * FileETag keywords.
>           */
>          etag = apr_palloc(r->pool, weak_len + sizeof("\"--\"") +
> -                          3 * CHARS_PER_UINT64 + 1);
> +                          2 * CHARS_PER_UINT64 + 2 * APR_MD5_DIGESTSIZE + 1);
>          next = etag;
>          if (weak) {
>              while (*weak) {
> @@ -124,7 +132,7 @@
>          *next++ = '"';
>          bits_added = 0;
>          if (etag_bits & ETAG_INODE) {
> -            next = etag_uint64_to_hex(next, r->finfo.inode);
> +            next = etag_uint64_to_md5(next, r->finfo.inode, r->pool);
>              bits_added |= ETAG_INODE;
>          }
>          if (etag_bits & ETAG_SIZE) {


-- 
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, HRB 16746 (AG Nuernberg)
Geschaeftsfuehrer: Jeff Hawn, Jennifer Guild, Felix Imendoerffer

Mime
View raw message