Re: Vulnerability in NCSA HTTPD 1.3

[ckd () loiosh kei com (Christopher Davis)]

TL> == Thomas Lopatic <lopatic () dbs informatik uni-muenchen de>
PW> == Paul 'Shag' Walmsley <ccshag () cclabs missouri edu>

 TL> we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720,
 TL> HP-UX 9.01) and I've found, that it can be tricked into executing
 TL> shell commands.

 TL> /* The problem is that the array 'tmp' in the function 'strsubfirst()' */
 TL> /* has a length of MAX_STRING_LEN. However, the function can be passed */
 TL> /* arguments with up to HUGE_STRING_LEN characters. */

 PW> As Thomas implied, this particular problem can probably be fixed by
 PW> changing line 161 of util.c from

 PW>    char tmp[MAX_STRING_LEN];
 PW> to
 PW>    char tmp[HUGE_STRING_LEN];

 PW> in NCSA's source.  We're running with the HUGE_STRING_LEN tmp now
 PW> with no (immediately apparent) bad side-effects (other than Thomas'
 PW> hack not working any more ;)

I'd suggest changing it to HUGE_STRING_LEN+MAX_STRING_LEN, just to give
you some slack.

However, I don't think even that will necessarily solve the problem.  A
quick pass over the sources show a *LOT* of strcat/strcpy calls to various
buffers, and *ONE* strncpy.  Since they use static buffers all over the
place, this is a recipe for disaster; even if you fix this particular one,
there are probably half a dozen other places where the same sort of thing
could happen.

CERN's httpd seems to be a bit smarter about this sort of thing, but it's
SO huge that even if they have only 10% as many bugs per K, they're worse
than NCSA.  (NCSA's src/* is 195K; CERN's WWW/Daemon/Implementation is
610K, plus WWW/Library/Implementation's 1406K(!).)

Plexus, being perl-based, should at least be immune to the string overflow
problem:-) but I haven't exhaustively looked it over yet.

I haven't looked at gn yet; the source is only 146K, though, so it's ahead
of NCSA in at least that category...