Full Disclosure mailing list archives

Re: [SECURITY] [DSA 523-1] New www-sql packages fix buffer overflow

From: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
Date: Sun, 20 Jun 2004 23:03:04 +0200

www-sql has an include command, allowing programs written in www-sql
to include files. The buffer overflow occurs when an include command
in a web page has a too long path, either one that is hardcoded or
one that is stored in a variable. The buffer overflow is stack-based
and gives you control over EIP.

In the special case where the include command uses a parameter
controlled by the web page's visitors (by form data or otherwise),
the overflow can be exploited remotely. Otherwise it is a local
privilege escalation.

I have attached a patch (against version 0.5.7) and a sample
web page.

// Ulf Harnhammar
   Debian Security Audit Project
   http://www.debian.org/security/audit/

Attachment: test.sql
Description:

Attachment: www-sql.patch
Description:

Current thread:

[SECURITY] [DSA 523-1] New www-sql packages fix buffer overflow debian-security-announce (Jun 19)
- <Possible follow-ups>
- Re: [SECURITY] [DSA 523-1] New www-sql packages fix buffer overflow Ulf Härnhammar (Jun 20)