Bugtraq mailing list archives
ANOTHER hole in NCSA httpd1.3R
From: paulp () CERF NET (Paul Phillips)
Date: Tue, 11 Apr 1995 23:49:39 -0700
Looks like I posted too fast, I just found another hole in httpd. In http_access.c, function evalute_access: if(S_ISDIR(finfo->st_mode)) strcpy_dir(path,p); else strcpy(path,p); The second strcpy is copying a filename (again, potentially 8192 characters) into a local buffer (256 characters.) Some scary info: {nic} grep strcpy *.c | wc -l 123 {nic} grep sprintf *.c |wc -l 51 There are more holes here, folks. -- Paul Phillips paulp () cerf net
Current thread:
- All.Net's security testing service, (continued)
- All.Net's security testing service Baltzer, Craig (Apr 07)
- Re[2]: Technical Observations on SATAN: Issue: VMS and TCP/I Nayfield, Rod (Apr 07)
- Re: SATAN ATTACKS EVERYWHERE Wolfgang Ley (Apr 09)
- Re: SATAN ATTACKS EVERYWHERE Christopher Klaus (Jul 25)
- Shadowed PW file under Linux lenex (Apr 06)
- Re: Shadowed PW file under Linux Cenon B.C. Marana Jr. (Apr 07)
- Re: Shadowed PW file under Linux John F. Haugh II (Apr 09)
- Re: Shadowed PW file under OSF/1 Cenon B.C. Marana Jr. (Apr 09)
- Re: Shadowed PW file under OSF/1 Software Test Account (Apr 11)
- Sys V. shedges () cactus netinterior com (Apr 11)
- ANOTHER hole in NCSA httpd1.3R Paul Phillips (Apr 11)
- UUCP/sendmail configs.. Cenon B.C. Marana Jr. (Apr 09)
- Obtaining NIS domainname from Gatorbox Ken Weaverling (Apr 10)
- Re: Shadowed PW file under Linux Cenon B.C. Marana Jr. (Apr 07)