Re: Details on the updated namazu packages that are available

[knok () daionet gr jp (NOKUBI Takatsugu)]

In article <3C3CCEFE.6080501 () snosoft com>
dotslash () snosoft com writes:

> > Doh! Looks like I slept on this one too long... heres some of my 
> > personal notes on exploiting this issue. Have fun.

Thanks for your report.

> > Here is my research on the above issues:
> > There are several buffer overflows in the QUERY_STRING options
> > Unfortunately the check in namazu.h screws us...

Yes, I had recognized it. So there is a notice about it as the
follwing;

libnamazu.h:
enum {
    /* Size of general buffers. This MUST be larger than QUERY_MAX */
    BUFSIZE = 1024,        

    QUERY_TOKEN_MAX =  32, /* Max number of tokens in the query. */
    QUERY_MAX       = 256, /* Max length of the query. */

    INDEX_MAX = 64        /* Max number of databases */
};

.. Oops, it is only QUERY_MAX, not mentioned about
CGI_QUERY_MAX. I'll fix it.

> > In other words unless you have modified namazu then you are not vuln.
> > Now we can exploit this via the command line as a side note ... although 
> > its not suid...
> > [root@linuxppc src]# ./namazu querystring `perl -e 'print "A" x 1024'`
> > Results:
> >
> > References:  [  (can't open the index)  ]
> >
> > No document matching your query.
> > Aborted (core dumped)

CGI program (namazu.cgi) and command-line programm (namazu) is
separated, and command-line program is prohibited to invoke as
CGI. Therefore I think it is not so serious.

At all events, I'll fix it in next release. Thanks.
-- 
NOKUBI Takatsugu
E-mail: knok () daionet gr jp
        knok () namazu org / knok () debian org