Bugtraq mailing list archives
Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules
From: marcs () ZNEP COM (Marc Slemko)
Date: Fri, 5 Sep 1997 09:53:28 -0600
On Thu, 4 Sep 1997, Matt Conover wrote:
Hello (sorry if this gets long or if it's known but I don't think it is): Well this is an obvious overflow in one of apache's modules; it is remote too.....however, luckily for the web admin's it's not installed by default. The problem is in mod_auth_anon.c in the function anon_authenticate_basic_user(). It contains the following lines: char errstr[MAX_STRING_LEN]; [...] if (sec->auth_anon_logemail) { sprintf(errstr,"Anonymous: Passwd <%s> Accepted", send_pw ? send_pw : "\'none\'"); [...] } else { if (sec->auth_anon_authorative) { sprintf(errstr,"Anonymous: Authorative, Passwd <%s> not accepted", send_pw ? send_pw : "\'none\'"); [...]
Yes, that is correct. It is bad code. You will note, however that input lines are limited to MAX_STRING_LEN as well (couldn't be HUGE_STRING_LEN, but they are the same) so you would have trouble inputting a password long enough to cause problems. There is a _LOT_ of code in Apache 1.1 that works on this tacit assumption. That is a bad thing, but most of it is not exploitable. In Apache 1.2, a full review of the source was done, and hundreds of possible buffer overflows were fixed; very few could cause any real damange. We added our own ap_snprintf() (borrowed from other code) and changed nearly every sprintf to ap_snprintf in addition to fixing other possible overflows. -- Marc Slemko | Apache team member marcs () znep com | marc () apache org
Current thread:
- HP UX Bug :), (continued)
- HP UX Bug :) Leonid S Knyshov (Sep 01)
- Re: HP UX Bug :) Brian Mitchell (Sep 02)
- in.comsat DoS vulnerability Andrew Hobgood (Sep 02)
- You can find jizz.c here T o r g (Sep 03)
- You can find jizz.c here anonymous () ANONYMOUS ORG (Sep 03)
- [linux-security] Announce: chkexploit 1.13 (fwd) iON BARRiER (Sep 04)
- Re: [linux-security] Announce: chkexploit 1.13 (fwd) W.C. Epperson (Sep 04)
- [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 04)
- Overflow in one of Apache 1.1.1 (maybe later too)'s modules Matt Conover (Sep 04)
- Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Artur Pydo - EuroBretagne (Sep 05)
- Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Marc Slemko (Sep 05)
- HP UX Bug :) Leonid S Knyshov (Sep 01)
- Announcement: Phrack 51 Nate (Sep 01)
- Pine has a few more problems... dynamo () IME NET (Sep 01)
- SNI-18: Vacation Vulnerability Secure Networks Inc. (Sep 01)
- SNI-18: Vacation Vulnerability ggajic () FREENET NETHER NET (Sep 02)