Re: Vulnerability in NCSA HTTPD 1.3

Paul 'Shag' Walmsley (ccshag@cclabs.missouri.edu)
Tue, 14 Feb 1995 00:33:05 -0600 (CST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Edy: "Re: Vulnerability in NCSA HTTPD 1.3"
Previous message: Oliver Friedrichs: "Re: FD/overwriting suid files"
In reply to: Thomas Lopatic: "Vulnerability in NCSA HTTPD 1.3"
Next in thread: Christopher Davis: "Re: Vulnerability in NCSA HTTPD 1.3"

On Mon, 13 Feb 1995, Thomas Lopatic wrote:

> Hello there,
> 
> we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, HP-UX 9.01)
> and I've found, that it can be tricked into executing shell commands.

...

> /* The problem is that the array 'tmp' in the function 'strsubfirst()' */
> /* has a length of MAX_STRING_LEN. However, the function can be passed */
> /* arguments with up to HUGE_STRING_LEN characters. */

As Thomas implied, this particular problem can probably be fixed by
changing line 161 of util.c from

	char tmp[MAX_STRING_LEN];
to
	char tmp[HUGE_STRING_LEN];

in NCSA's source.  We're running with the HUGE_STRING_LEN tmp now with no 
(immediately apparent) bad side-effects (other than Thomas' hack not working 
any more ;)
 
> -- 
> Thomas Lopatic                               lopatic@informatik.uni-muenchen.de
> 

- Paul "Shag" Walmsley <ccshag@cclabs.missouri.edu>
  "I'll drink a toast to bold evolution any day!"

Next message: Edy: "Re: Vulnerability in NCSA HTTPD 1.3"
Previous message: Oliver Friedrichs: "Re: FD/overwriting suid files"
In reply to: Thomas Lopatic: "Vulnerability in NCSA HTTPD 1.3"
Next in thread: Christopher Davis: "Re: Vulnerability in NCSA HTTPD 1.3"