TL> == Thomas Lopatic <lopatic@dbs.informatik.uni-muenchen.de> PW> == Paul 'Shag' Walmsley <ccshag@cclabs.missouri.edu> TL> we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, TL> HP-UX 9.01) and I've found, that it can be tricked into executing TL> shell commands. TL> /* The problem is that the array 'tmp' in the function 'strsubfirst()' */ TL> /* has a length of MAX_STRING_LEN. However, the function can be passed */ TL> /* arguments with up to HUGE_STRING_LEN characters. */ PW> As Thomas implied, this particular problem can probably be fixed by PW> changing line 161 of util.c from PW> char tmp[MAX_STRING_LEN]; PW> to PW> char tmp[HUGE_STRING_LEN]; PW> in NCSA's source. We're running with the HUGE_STRING_LEN tmp now PW> with no (immediately apparent) bad side-effects (other than Thomas' PW> hack not working any more ;) I'd suggest changing it to HUGE_STRING_LEN+MAX_STRING_LEN, just to give you some slack. However, I don't think even that will necessarily solve the problem. A quick pass over the sources show a *LOT* of strcat/strcpy calls to various buffers, and *ONE* strncpy. Since they use static buffers all over the place, this is a recipe for disaster; even if you fix this particular one, there are probably half a dozen other places where the same sort of thing could happen. CERN's httpd seems to be a bit smarter about this sort of thing, but it's SO huge that even if they have only 10% as many bugs per K, they're worse than NCSA. (NCSA's src/* is 195K; CERN's WWW/Daemon/Implementation is 610K, plus WWW/Library/Implementation's 1406K(!).) Plexus, being perl-based, should at least be immune to the string overflow problem :-) but I haven't exhaustively looked it over yet. I haven't looked at gn yet; the source is only 146K, though, so it's ahead of NCSA in at least that category...