Bugtraq mailing list archives

NCSA httpd 1.3

From: kevintx () paranoia com (Kevin at Paranoia)
Date: Thu, 23 Feb 1995 10:22:18 -0600 (CST)


Following CERT's first suggestion on the NCSA httpd 1.3 crashed my WWW 
server!  The added 7936 bytes to MAX_STRING_LEN (in 154 instances) made 
each running httpd process about 100K larger and brought the server 
(which runs close to swapping anyway at busy times) crashing to its knees.

NCSA says that the util.c patch is enough to cover the vulnerability.  
(their details are at http://hoohoo.ncsa.uiuc.edu/docs/patch_desc.html)

The top of that page reads:

A vulnerability was recently discovered in the NCSA httpd.  A program 
which will break into an HP system running the precompiled httpd has been 
published, along with step by step instructions.

Three cheers for full disclosure.. it gets results.

kevin
-- 
  kevintx () paranoia com  |    "Ask me no questions, I'll tell you no lies."
 (System Administrator) | Paranoia offers low cost accounts to those in need.
 Finger for PGP 2.3 Key |  <a href="http://www.paranoia.com/";>The Server</a>

Current thread:

NCSA httpd 1.3 Kevin at Paranoia (Feb 23)
- Re: NCSA httpd 1.3 Thomas Lopatic (Feb 24)
- <Possible follow-ups>
- Re: NCSA httpd 1.3 Dan Thorson (Feb 24)
- Re: NCSA httpd 1.3 Jonathan Stott (Feb 24)
- Re: NCSA httpd 1.3 Ken Hardy (Feb 24)
- Re: NCSA httpd 1.3 Jordan Hayes (Feb 24)