Bugtraq mailing list archives
Re: Vulnerability in NCSA HTTPD 1.3
From: ccshag () cclabs missouri edu (Paul 'Shag' Walmsley)
Date: Tue, 14 Feb 1995 00:33:05 -0600 (CST)
On Mon, 13 Feb 1995, Thomas Lopatic wrote:
Hello there, we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, HP-UX 9.01) and I've found, that it can be tricked into executing shell commands.
...
/* The problem is that the array 'tmp' in the function 'strsubfirst()' */ /* has a length of MAX_STRING_LEN. However, the function can be passed */ /* arguments with up to HUGE_STRING_LEN characters. */
As Thomas implied, this particular problem can probably be fixed by
changing line 161 of util.c from
char tmp[MAX_STRING_LEN];
to
char tmp[HUGE_STRING_LEN];
in NCSA's source. We're running with the HUGE_STRING_LEN tmp now with no
(immediately apparent) bad side-effects (other than Thomas' hack not working
any more ;)
-- Thomas Lopatic lopatic () informatik uni-muenchen de
- Paul "Shag" Walmsley <ccshag () cclabs missouri edu> "I'll drink a toast to bold evolution any day!"
Current thread:
- Vulnerability in NCSA HTTPD 1.3 Thomas Lopatic (Feb 13)
- Re: Vulnerability in NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 13)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 14)
- Re: Vulnerability in NCSA HTTPD 1.3 Robert M. Haas (Feb 14)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 16)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 14)
- Fixing the NCSA HTTPD 1.3 Thomas Lopatic (Feb 14)
- Re: Fixing the NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 15)
- Re: Fixing the NCSA HTTPD 1.3 Rens Troost (Feb 15)
- Re: Fixing the NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 15)
- For NCSA Http_1.05a Everett F Batey WA6CRE (Feb 15)
- Sendmail 8.6.9 Nathan Lawson (Feb 14)
- Re: Sendmail 8.6.9 Perry E. Metzger (Feb 14)
- Re: Vulnerability in NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 13)