Home page logo
/

bugtraq logo Bugtraq mailing list archives

ANOTHER hole in NCSA httpd1.3R
From: paulp () CERF NET (Paul Phillips)
Date: Tue, 11 Apr 1995 23:49:39 -0700


Looks like I posted too fast, I just found another hole in httpd.

In http_access.c, function evalute_access:

    if(S_ISDIR(finfo->st_mode)) strcpy_dir(path,p);
    else strcpy(path,p);

The second strcpy is copying a filename (again, potentially 8192 characters)
into a local buffer (256 characters.)

Some scary info:

{nic} grep strcpy *.c | wc -l
    123
{nic} grep sprintf *.c |wc -l
     51

There are more holes here, folks.

--
Paul Phillips
paulp () cerf net



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]