httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Old apache exploit - Security Focus ID 5993
Date Thu, 19 Jun 2003 19:06:05 GMT

On Thu, 19 Jun 2003, Robert Brockway wrote:

> Hi all.  I'm going through some old exploits at the moment (don't ask :)
> and came across this one.
>
> Security Focus ID 5993 is a Buffer Overflow in HTDigest in apache 1.3.
>
> According to security focus (http://www.securityfocus.com/bid/5993) , all
> versions up to _and including_ 1.3.27 are vulnerable.  Now it isn't
> uncommon for SF to get a few details wrong, or to not update the exploit
> when a patch comes out, but I've RTFMed on this and found only the same
> information repeated.

>From here:
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/support/htdigest.c
You can tell that the version with the fix has not yet been released.

But this is really not a very serious problem.  It would only be
exploitable if htdigest were to be called from a cgi script which is
1) rather a difficult thing to accomplish since it calls getpass, and 2)
not advisable for several other reasons.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message