Full Disclosure mailing list archives
Apache 1.3.37 htpasswd buffer overflow vulnerability
From: "Matias Soler" <gnuler () gmail com>
Date: Tue, 2 Jan 2007 17:20:25 -0300
Synopsis: Apache 1.3.37 htpasswd buffer overflow vulnerability Version: 1.3.37 (latest 1.3.xx) Product ======= Apache htpasswd utility Issue ===== A buffer overflow vilnerability has been found, it is dangerous only on environment where the binary is suid root. Details ======= Incorrect validation on the size of user input allows to copy a string, via strcpy, to a fixed size buffer. File: htpasswd.c, Line 421. Solution ======== Apply this patch to htpasswd.c -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-- 415,419c415,420 < if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { < fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], < (unsigned long)(sizeof(user) - 1)); < return ERR_OVERFLOW; < } --- > } > if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { > fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], > (unsigned long)(sizeof(user) - 1)); > return ERR_OVERFLOW; > --->8----->8----->8----->8----->8----->8----->8----->8----->8----->8----->8----- Affected Versions ================== 1.3.37 - http://www.apache.org/dist/httpd/apache_1.3.37.tar.gz Notes & References ================== Another similar bug was discovered by Luiz Fernando [1], a patch was written by Larry Cashdollar wich also fixed the bug i'm posting, but it seems not to be applied on the latest versions of apache 1.3.xx. Michael Engert submitted another patch[1] which also fixed this bug and filled out a bug report [1], but it wasn't applied. Have a look at Other posts[3][4] on this (and similar) issues. A bug report[5] on this issue was filled out. Credits ======= Matias S. Soler - gnuler [at] gmail [dot] com Luiz Fernando Michael Engert 1 - http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html 2 - http://issues.apache.org/bugzilla/show_bug.cgi?id=31975 3 - http://seclists.org/bugtraq/2004/Oct/0359.html 4 - http://www.security-express.com/archives/fulldisclosure/2004-10/1117.html 5 - http://issues.apache.org/bugzilla/show_bug.cgi?id=41279 -- Matias S. Soler
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Apache 1.3.37 htpasswd buffer overflow vulnerability Matias Soler (Jan 02)
- Re: Apache 1.3.37 htpasswd buffer overflow vulnerability Andrew Farmer (Jan 03)