Bugtraq mailing list archives
cgiwrap-3.5 (and 3.6beta1,
From: dps () IO STARGATE CO UK (Duncan Simpson)
Date: Sun, 7 Dec 1997 00:23:15 GMT
Hi, I have been hacking cgiwrap-3.5 for my own purposes. Anyway I spotted a code fragmen that allocated a static buffer and printed an arbitary lenght string in it. Exploits probably require one to create a file with the name contiaining shellcode but that should not be a serious problem (/ means new dir and \0 does not happen). Here is a patch: diff -ur cgiwrap-3.6beta1/util.c cgiwrap-3.6beta1-fixed/util.c --- cgiwrap-3.6beta1/util.c Tue Nov 18 04:51:05 1997 +++ cgiwrap-3.6beta1-fixed/util.c Sun Dec 7 00:15:27 1997 @@ -282,7 +282,7 @@ if (!(fileStat.st_mode & S_IXUSR)) { - sprintf(tempErrString, "Script is not executable. Issue chmod 755 %s", scriptPath); + snprintf(tempErrString, 254, "Script is not executable. Issue chmod 755 %s", scriptPath); MSG_Error_ExecutionNotPermitted(tempErrString); } which should apply cleaning to 3.5 as well. (The patch is against 3.6beta1 as you can see). The maintainer has been informed. Duncan (-:
Current thread:
- Buggy /usr/bin shell scripts obi () VIC20 DZP SE (Dec 06)
- Microsoft, CNET, BUGTRAQ and the 'land' attack Geoffrey King (Dec 06)
- Re: Microsoft, CNET, BUGTRAQ and the 'land' attack Aleph One (Dec 08)
- KSR[T] #005: Dillon crontab / crond KSR[T] (Dec 09)
- cgiwrap-3.5 (and 3.6beta1, Duncan Simpson (Dec 06)
- Re: Buggy /usr/bin shell scripts Casper Dik (Dec 07)
- Microsoft, CNET, BUGTRAQ and the 'land' attack Geoffrey King (Dec 06)