Bugtraq mailing list archives
Re: Vulnerability in NCSA HTTPD 1.3
From: ckd () loiosh kei com (Christopher Davis)
Date: Tue, 14 Feb 1995 11:18:00 -0500
TL> == Thomas Lopatic <lopatic () dbs informatik uni-muenchen de> PW> == Paul 'Shag' Walmsley <ccshag () cclabs missouri edu> TL> we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, TL> HP-UX 9.01) and I've found, that it can be tricked into executing TL> shell commands. TL> /* The problem is that the array 'tmp' in the function 'strsubfirst()' */ TL> /* has a length of MAX_STRING_LEN. However, the function can be passed */ TL> /* arguments with up to HUGE_STRING_LEN characters. */ PW> As Thomas implied, this particular problem can probably be fixed by PW> changing line 161 of util.c from PW> char tmp[MAX_STRING_LEN]; PW> to PW> char tmp[HUGE_STRING_LEN]; PW> in NCSA's source. We're running with the HUGE_STRING_LEN tmp now PW> with no (immediately apparent) bad side-effects (other than Thomas' PW> hack not working any more ;) I'd suggest changing it to HUGE_STRING_LEN+MAX_STRING_LEN, just to give you some slack. However, I don't think even that will necessarily solve the problem. A quick pass over the sources show a *LOT* of strcat/strcpy calls to various buffers, and *ONE* strncpy. Since they use static buffers all over the place, this is a recipe for disaster; even if you fix this particular one, there are probably half a dozen other places where the same sort of thing could happen. CERN's httpd seems to be a bit smarter about this sort of thing, but it's SO huge that even if they have only 10% as many bugs per K, they're worse than NCSA. (NCSA's src/* is 195K; CERN's WWW/Daemon/Implementation is 610K, plus WWW/Library/Implementation's 1406K(!).) Plexus, being perl-based, should at least be immune to the string overflow problem:-) but I haven't exhaustively looked it over yet. I haven't looked at gn yet; the source is only 146K, though, so it's ahead of NCSA in at least that category...
Current thread:
- Vulnerability in NCSA HTTPD 1.3 Thomas Lopatic (Feb 13)
- Re: Vulnerability in NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 13)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 14)
- Re: Vulnerability in NCSA HTTPD 1.3 Robert M. Haas (Feb 14)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 16)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 14)
- Fixing the NCSA HTTPD 1.3 Thomas Lopatic (Feb 14)
- Re: Fixing the NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 15)
- Re: Fixing the NCSA HTTPD 1.3 Rens Troost (Feb 15)
- Re: Fixing the NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 15)
- For NCSA Http_1.05a Everett F Batey WA6CRE (Feb 15)
- Sendmail 8.6.9 Nathan Lawson (Feb 14)
- Re: Sendmail 8.6.9 Perry E. Metzger (Feb 14)
- Re: Sendmail 8.6.9 Tom Fitzgerald (Feb 14)
- Re: Vulnerability in NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 13)