Multiple vulnerabilities in atphttpd-0.4b

[qitest1 <qitest1 () bespin org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                QITEST1 SECURITY ADVISORY #004

Multiple vulnerabilities in atphttpd-0.4b

PROGRAM DESCRIPTION
atphttpd is a caching, tiny - and buggy - webserver written by Yann
Ramin <atrus () atrustrivalie eu org>.

DETAILS
There are several remotely exploitable flaws in the source code: 
regular buffer overflows and an off-by-one buffer overflow.
An attacker would gain privileges of the user running atphttpd.

SOLUTION
Author was contacted, but he was not reachable. The following patch
should fix these bugs.

==8< atphttpd-0.4b.patch 8<==
diff -u atphttpd-0.4b-old/atphttpd/http_handler.c atphttpd-0.4b/atphttpd/http_handler.c
- --- atphttpd-0.4b-old/atphttpd/http_handler.c Sat Apr 22 05:05:57 2000
+++ atphttpd-0.4b/atphttpd/http_handler.c       Fri Jul 12 13:20:16 2002
@@ -235,7 +235,7 @@
     (void) sprintf(buffer, "<HTML><HEAD><TITLE>%d %s</TITLE></HEAD>\n<BODY><H2>%d %s</H2>\n", status, title, status, 
title );
     sock_puts(hc[listnum].socket, buffer);
 
- -    (void) sprintf(buffer, "The following error occurred while trying to examine the garbage that you sent this poor 
webserver: <br><b>%s</b><br><br>\n", text );
+    snprintf(buffer, sizeof(buffer), "The following error occurred while trying to examine the garbage that you sent 
this poor webserver: <br><b>%s</b><br><br>\n", text);
     sock_puts(hc[listnum].socket, buffer);
 
     (void) sprintf(buffer, "<HR>\n<ADDRESS>This cool page was automaticly generated by the trained rodents living 
inside the <A HREF=\"%s\">%s</A> webserver.</ADDRESS>\n</BODY></HTML>\n", SERVER_URL, SERVER_NAME );
diff -u atphttpd-0.4b-old/atphttpd/main.c atphttpd-0.4b/atphttpd/main.c
- --- atphttpd-0.4b-old/atphttpd/main.c Sat Apr 22 05:06:00 2000
+++ atphttpd-0.4b/atphttpd/main.c       Fri Jul 12 13:30:55 2002
@@ -141,13 +141,11 @@
          }
  }
 
- - void deal_with_data(int listnum) {
- -         char buffer[MAX_BUFFER];     /* Buffer for socket reads */
- -//         char *cur_char;      /* Used in processing buffer */
- -         char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
- -
- -         if (sock_gets(hc[listnum].socket,buffer,MAX_BUFFER) < 0) {
+void deal_with_data(int listnum) {
+       char buffer[MAX_BUFFER];
+       char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
 
+       if (sock_gets(hc[listnum].socket, buffer, MAX_BUFFER - 1) < 0) {
                  close(hc[listnum].socket);
                  hc[listnum].socket = 0;
          } else {
@@ -155,7 +153,7 @@
                                                                *                                                       
       *
                                                                * Right now it is very dumb, and only checks for a get 
header   *
                                                                * Improvements? */
- -                 sscanf( buffer, "%[^ ] %[^ ] %[^ ]", method, path, protocol );
+               sscanf(buffer, "%1023s %1023s %1023s", method, path, protocol);
                  if ( strcasecmp( method, "get" ) == 0 || strcasecmp( method, "head" ) == 0) {
                                                                                strcpy(hc[listnum].path, path);
                                                                                
==8< atphttpd-0.4b.patch 8<==

  --    -------------------------------------------
  ---- q1--    ----------------------------------------
  --    -------------------------------------------
  Web: http://bespin.org/~qitest1
  GPG public key: http://bespin.org/~qitest1/qitest1.gpg.key
  - --------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9LtQ/IrsshIyVmPkRAvrcAJ4pmxndYZKUhhz8kgTyY3gJ1gvoWQCgk3mh
pnhu3Y3K7gzgiroXxvvjKF4=
=cnA0
-----END PGP SIGNATURE-----