[392] in WWW Security List Archive
Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
daemon@ATHENA.MIT.EDU (Phillip M. Hallam-Baker)
Wed Feb 15 18:25:37 1995
To: Bernhard.Schneck@physik.tu-muenchen.de, www-security@ns2.rutgers.edu
cc: hallam@dxal18.cern.ch
In-reply-to: Your message of "Wed, 15 Feb 1995 20:19:07 +0100."
<199502151919.AA19781@srv.cip.physik.tu-muenchen.de>
Date: Wed, 15 Feb 1995 20:27:12 +0900
From: "Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch>
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>Well, I've just been over the HTLoadError routine and it certainly
>does unchecked sprintf's to a fixed size buffer when composing the
>error message (same in HTErrorMsg). No user input is used here,
>thoug, so it may not be harmful. It just left me wondering where
>else such things might be lurking ...
Yep, I know about those bits, I had a look through them with a view
to splatting a while back but they seemed OK. The problem is the sheer
number of lines of code though. It would be much quicker to rewrite the
code in a different way than to check each part of it fully. This is more
likely to happen as part of a from scratch proxy implementation than
extension of the CERN server though.
This is yet another UNIX screw up. A real O/S simply does not allow
a process to write to its stack. And a real language would have automatic
resource allocation for strings.
Phill
