Bugtraq mailing list archives
Re: Remote buffer overflow in Webalizer
From: "Bradford L. Barrett" <brad () mrunix net>
Date: Wed, 17 Apr 2002 02:19:37 -0400 (EDT)
Here is a patch to fix the vulnerability (tested against webalizer-2.01-06).
Bad fix.. while it will prevent the buffer from overflowing (which I still fail to see how can be used to execute a 'root' exploit, even with a LOT of imagination), but will cause the buffer to be filled with a non-null terminated string which will do all sorts of nasty things to your output, not to mention wreak havoc on the stats since you are cutting off the domain portion, not the hostname part, and adding random garbage at the end. Anyway, Version 2.01-10 has been released, which fixes this and a few other buglets that have been discovered in the last month or so. Get it at the usual place (web: www.mrunix.net/webalizer/ or www.webalizer.org or ftp: ftp.mrunix.net/pub/webalizer/), and should be on the mirror sites soon. -- Bradford L. Barrett brad () mrunix net A free electron in a sea of neutrons DoD#1750 KD4NAW The only thing Micro$oft has done for society, is make people believe that computers are inherently unreliable.
Current thread:
- Remote buffer overflow in Webalizer Spybreak (Apr 15)
- Re: Remote buffer overflow in Webalizer Franck Coppola (Apr 16)
- Re: Remote buffer overflow in Webalizer Bradford L. Barrett (Apr 17)
- Re: Remote buffer overflow in Webalizer Lars Hecking (Apr 18)
- Re: Remote buffer overflow in Webalizer Franck Coppola (Apr 16)