Bugtraq: Re: Vulnerability in NCSA HTTPD 1.3

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Vulnerability in NCSA HTTPD 1.3

From: ccshag () cclabs missouri edu (Paul 'Shag' Walmsley)
Date: Tue, 14 Feb 1995 00:33:05 -0600 (CST)


On Mon, 13 Feb 1995, Thomas Lopatic wrote:

Hello there,

we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, HP-UX 9.01)
and I've found, that it can be tricked into executing shell commands.

...

/* The problem is that the array 'tmp' in the function 'strsubfirst()' */
/* has a length of MAX_STRING_LEN. However, the function can be passed */
/* arguments with up to HUGE_STRING_LEN characters. */


As Thomas implied, this particular problem can probably be fixed by
changing line 161 of util.c from

        char tmp[MAX_STRING_LEN];
to
        char tmp[HUGE_STRING_LEN];

in NCSA's source.  We're running with the HUGE_STRING_LEN tmp now with no 
(immediately apparent) bad side-effects (other than Thomas' hack not working 
any more ;)

-- 
Thomas Lopatic                               lopatic () informatik uni-muenchen de


- Paul "Shag" Walmsley <ccshag () cclabs missouri edu>
  "I'll drink a toast to bold evolution any day!"

By Date By Thread

Current thread:

Vulnerability in NCSA HTTPD 1.3 Thomas Lopatic (Feb 13)
- Re: Vulnerability in NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 13)
  - Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 14)
    - Re: Vulnerability in NCSA HTTPD 1.3 Robert M. Haas (Feb 14)
    - Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 16)
  - Fixing the NCSA HTTPD 1.3 Thomas Lopatic (Feb 14)
    - Re: Fixing the NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 15)