Bugtraq mailing list archives
false alarm: query cgi problem
From: apropos () sover net (Apropos of Nothing)
Date: Thu, 9 Jan 1997 20:26:38 -0500
For anyone who cares, the buffer overflow in the query cgi is not exploitable. This is because the exploit requires 21,000+ bytes, and the maximum size for a URL is 1024 bytes. That is how it is defined in the RFC. Anyway, consider yourselves lucky since that stops all attacks on query.c based cgis. (phf, post-query, query, and maybe others have the same buffer overflow problem). Of course, it wouldn't hurt to a make getword() et al. do bounds checking. apropos of nothing
Current thread:
- false alarm: query cgi problem Apropos of Nothing (Jan 09)
- <Possible follow-ups>
- Re: false alarm: query cgi problem der Mouse (Jan 10)
- Re: false alarm: query cgi problem Zygo Blaxell (Jan 10)