Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability

• To: www-security@ns2.rutgers.edu
• Subject: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
• From: Ric Anderson <ric@seagull.rtd.com>
• Date: Thu, 16 Feb 1995 09:12:06 -0700 (MST)
• In-Reply-To: <9502152209.aa24729@wolf.arl.mil> from "Mike Muuss" at Feb 15, 95 10:09:37 pm
• Reply-To: www-security@ns2.rutgers.edu

The problem is none of the patches of adjusting the size of the "tmp"
array in strsubfirst() really fix the overall problem.

If the input array (dest) is sized to HUGE_STRING_LEN and is full,
then the input array (dest) will overrun whatever follows it when the
	strcpy(&dest[strlen(src)],tmp);
is executed because now the total number of bytes placed in dest is
"what was there" plus (in the case most recently discussed) the
contents of document_root_path.

strsubfirst() really needs to now the declared size of the formal
parameter "dest" in order to prevent overruns from occuring in
strsubfirst().

Ric (<ric@rtd.com> "Ric Anderson", using RTD's public internet access)

• Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
• From: Scott Silvey <scott@swindle.Berkeley.EDU>

• Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
• From: Mike Muuss <mike@arl.mil>

• Previous: CERN 3.0 Authentication setup
• Next: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
• Index(es):
  • Index
  • Thread