Bugtraq mailing list archives

ANOTHER hole in NCSA httpd1.3R

From: paulp () CERF NET (Paul Phillips)
Date: Tue, 11 Apr 1995 23:49:39 -0700


Looks like I posted too fast, I just found another hole in httpd.

In http_access.c, function evalute_access:

    if(S_ISDIR(finfo->st_mode)) strcpy_dir(path,p);
    else strcpy(path,p);

The second strcpy is copying a filename (again, potentially 8192 characters)
into a local buffer (256 characters.)

Some scary info:

{nic} grep strcpy *.c | wc -l
    123
{nic} grep sprintf *.c |wc -l
     51

There are more holes here, folks.

--
Paul Phillips
paulp () cerf net

Current thread:

All.Net's security testing service, (continued)
- - - All.Net's security testing service Baltzer, Craig (Apr 07)
    - Re[2]: Technical Observations on SATAN: Issue: VMS and TCP/I Nayfield, Rod (Apr 07)
    - Re: SATAN ATTACKS EVERYWHERE Wolfgang Ley (Apr 09)
    - Re: SATAN ATTACKS EVERYWHERE Christopher Klaus (Jul 25)
- Shadowed PW file under Linux lenex (Apr 06)
  - Re: Shadowed PW file under Linux Cenon B.C. Marana Jr. (Apr 07)
    - Re: Shadowed PW file under Linux John F. Haugh II (Apr 09)
    - Re: Shadowed PW file under OSF/1 Cenon B.C. Marana Jr. (Apr 09)
    - Re: Shadowed PW file under OSF/1 Software Test Account (Apr 11)
    - Sys V. shedges () cactus netinterior com (Apr 11)
    - ANOTHER hole in NCSA httpd1.3R Paul Phillips (Apr 11)
    - UUCP/sendmail configs.. Cenon B.C. Marana Jr. (Apr 09)
    - Obtaining NIS domainname from Gatorbox Ken Weaverling (Apr 10)
  - sub Pevrul Sahin (Apr 08)
  - Re: Shadowed PW file under Linux John F. Haugh II (Apr 08)