Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules

[marcs () ZNEP COM (Marc Slemko)]

On Thu, 4 Sep 1997, Matt Conover wrote:

> Hello (sorry if this gets long or if it's known but I don't think it is):
>
> Well this is an obvious overflow in one of apache's modules; it is
> remote too.....however, luckily for the web admin's it's not installed
> by default. The problem is in mod_auth_anon.c in the function
> anon_authenticate_basic_user(). It contains the following lines:
>
> char errstr[MAX_STRING_LEN];
> [...]
>     if (sec->auth_anon_logemail) {
>         sprintf(errstr,"Anonymous: Passwd <%s> Accepted",
>                         send_pw ? send_pw : "\'none\'");
> [...]
>     } else {
>         if (sec->auth_anon_authorative) {
>         sprintf(errstr,"Anonymous: Authorative, Passwd <%s> not accepted",
>                 send_pw ? send_pw : "\'none\'");
> [...]

Yes, that is correct.  It is bad code.  You will note, however that input
lines are limited to MAX_STRING_LEN as well (couldn't be HUGE_STRING_LEN,
but they are the same) so you would have trouble inputting a password long
enough to cause problems.  There is a _LOT_ of code in Apache 1.1 that
works on this tacit assumption.  That is a bad thing, but most of it is
not exploitable.

In Apache 1.2, a full review of the source was done, and hundreds of
possible buffer overflows were fixed; very few could cause any real
damange.  We added our own ap_snprintf() (borrowed from other code) and
changed nearly every sprintf to ap_snprintf in addition to fixing other
possible overflows.

--
     Marc Slemko     | Apache team member
     marcs () znep com  | marc () apache org