Bugtraq mailing list archives
buggy msql again (v2.0.11)
From: gdn () NEUROCOM COM (gregory duchemin)
Date: Fri, 3 Sep 1999 16:02:25 -0000
hi, i have just installed the evaluation version of the last w3-msql release (2.0.11) with its new security mechanism. There is effectively this new option "Force_Suffix" in msql.conf that force msql server to take its documents inside its private root instead of server's one. The cgi is actually still vulnerable because of numerous lacks in sources (take a look at storeArgs() in w3-msql.c). It's possible with a buffer overflow attack to gain web server priviledge and modify remotly server content. test it: www.victim.com is the target site. http://www.victim.com/cgi-bin/w3-msql/AAAAAAAAA.......AAAAA with about a 200 chars length filename, the server response is "Internal Server Error" and the cgi produce a core file. With a carrefully forged string including code instructions, it's possible to force remote server to execute arbitrary code. i'm going to write an exploit. Have a nice day ------- Gregory Duchemin - gdn () neurocom com Security Engineer NEUROCOM http://www.neurocom.com/ 179/181 avenue Charles de Gaulle 92200 Neuilly Sur Seine Tel: 01.41.43.84.84 Fax: 01.41.43.84.80
Current thread:
- RH 6.0 shadowed users and user lock bug fix Prince Ctrl (Aug 30)
- Re: RH 6.0 shadowed users and user lock bug fix Mihai Ibanescu (Sep 02)
- buggy msql again (v2.0.11) gregory duchemin (Sep 03)
- DOS in Backup Exec Agent Mike Owen (Sep 03)