Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Apache 1.3.37 htpasswd buffer overflow vulnerability

From: "Matias Soler" <gnuler () gmail com>
Date: Tue, 2 Jan 2007 17:20:25 -0300
Synopsis: Apache 1.3.37 htpasswd buffer overflow vulnerability
Version: 1.3.37 (latest 1.3.xx)

Product
=======
Apache htpasswd utility

Issue
=====
A buffer overflow vilnerability has been found, it is dangerous only on
environment where the binary is suid root.

Details
=======
Incorrect validation on the size of user input allows to copy a string, via
strcpy, to a fixed size buffer.
File: htpasswd.c, Line 421.

Solution
========
Apply this patch to htpasswd.c

-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<--

 415,419c415,420
 <       if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
 <           fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
 <                   (unsigned long)(sizeof(user) - 1));
 <           return ERR_OVERFLOW;
 <       }
 ---
 >     }
 >     if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
 >       fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
 >       (unsigned long)(sizeof(user) - 1));
 >       return ERR_OVERFLOW;
 >
--->8----->8----->8----->8----->8----->8----->8----->8----->8----->8----->8-----

Affected Versions
==================
1.3.37 - http://www.apache.org/dist/httpd/apache_1.3.37.tar.gz

Notes & References
==================
Another similar bug was discovered by Luiz Fernando [1], a patch was written

by  Larry Cashdollar wich also fixed the bug i'm posting, but it seems not
to be
applied on the latest versions of apache 1.3.xx.

Michael Engert submitted another patch[1] which also fixed this bug and
filled
out a bug report [1], but it wasn't applied.

Have a look at Other posts[3][4] on this (and similar) issues.

A bug report[5] on this issue was filled out.

Credits
=======
Matias S. Soler - gnuler [at] gmail [dot] com
Luiz Fernando
Michael Engert


1 - http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html
2 - http://issues.apache.org/bugzilla/show_bug.cgi?id=31975
3 - http://seclists.org/bugtraq/2004/Oct/0359.html
4 -
http://www.security-express.com/archives/fulldisclosure/2004-10/1117.html
5 - http://issues.apache.org/bugzilla/show_bug.cgi?id=41279

--
Matias S. Soler

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: