Buffer overflow in the query cgi.

[apropos () sover net (Apropos of Nothing)]

The cgi script 'query' has a buffer overflow problem.  Let's look at the code:

typedef struct {
    char name[128];
    char val[128];
} entry;
...
main(int argc, char *argv[]) {
    entry entries[10000];
    register int x,m=0;
    char *cl;

    cl = getenv("QUERY_STRING");

    for(x=0;cl[0] != '\0';x++) {
        m=x;
        getword(entries[x].val,cl,'&');
        plustospace(entries[x].val);
        unescape_url(entries[x].val);
        getword(entries[x].name,entries[x].val,'=');
    }

And recall what Aleph1 pointed out about 'getword':

void getword(char *word, char *line, char stop) {
    int x = 0,y;

    for(x=0;((line[x]) && (line[x] != stop));x++)
        word[x] = line[x];

    word[x] = '\0';
    if(line[x]) ++x;
    y=0;

    while(line[y++] = line[x++]);
}

> As you can see it does no bounds checking.

OK, so looking up at query.c again we see that it copies cl (the query
string) into entries[x].val (a 128 byte char) with getword... and you know
what that means!

My buffer overflow skills aren't very good, so I'd like to see if anyone
else can exploit this.  It should be pretty easy since all you have to do
is supply 128 bytes, then enough code to get up to the stack and overwrite
it, all in the query string.

apropos of nothing