Bugtraq mailing list archives
Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?
From: André Malo <nd () perlig de>
Date: Fri, 29 Oct 2004 23:53:16 +0200
* Larry Cashdollar <lwc () vapid ath cx> wrote:
This was posted on the full-disclosure list sept 16 2004 by Luiz Fernando. http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html The nessus check for this vulnerability recommends upgrading to Apache version 1.3.32: http://cgi.nessus.org/plugins/dump.php3?id=14771 But in Apache 1.3.33: lachoy# grep strcpy /install/src/apache_1.3.33/src/support/htpasswd.c strcpy(record, user); strcpy(pwfilename, argv[i]); strcpy(user, argv[i + 1]); strcpy(password, argv[i + 2]); strcpy(scratch, line); It is still vulnerable.
If you start htpasswd from a shell and you exploit some kind of buffer overflow, you get ... a shell?. Wow! Whoever runs htpasswd setuid is darn silly. The httpd developers, the docs and commonsense tell, that the program is just not designed for such an intention. Or in other words, take any program that's not designed for being run setuid and you'll find a "vulnerability" (e.g. with malloc debug environment variables or the like). Sorry, I can't see a security vulnerability here. nd --
[...] weiß jemand zufällig, was der Tag DIV ausgeschrieben bedeutet?
DIVerses. Benannt nach all dem unstrukturierten Zeug, was die Leute da so reinpacken und dann absolut positionieren ... -- Florian Hartig und Lars Kasper in dciwam
Current thread:
- local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Larry Cashdollar (Oct 29)
- Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? André Malo (Oct 29)
- Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Michael Engert (Oct 30)