[395] in WWW Security List Archive
Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
daemon@ATHENA.MIT.EDU (A Warren Pratten)
Wed Feb 15 20:25:49 1995
From: A Warren Pratten <warren@csd.uwo.ca>
To: www-security@ns2.rutgers.edu
Date: Wed, 15 Feb 95 16:31:29 EST
In-Reply-To: <9502150907.AA28085@jaguar.cs.shizuoka.ac.jp>; from "purna@cs.shizuoka.ac.jp" at Feb 15, 95 6:07 pm
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
-> The U.S. Department of Energy
-> Computer Incident Advisory Capability
-> ___ __ __ _ ___
-> / | /_\ /
-> \___ __|__ / \ \___
-> _____________________________________________________
->
-> ADVISORY NOTICE
->
-> Unix NCSA httpd Vulnerability
->
[...]
-> Until official patches are available from NCSA, CIAC recommends the following
-> temporary fix be installed. In the file httpd.h, change the string length
-> definitions from:
->
-> /* The default string lengths */
-> #define MAX_STRING_LEN 256
-> #define HUGE_STRING_LEN 8192
->
-> to:
->
-> /* The default string lengths */
-> #define HUGE_STRING_LEN 8192
-> #define MAX_STRING_LEN HUGE_STRING_LEN
->
-> Then rebuild, install, and restart the new httpd server.
This is a pathetic fix. Sure it will solve the problem for a short time until
a clever hacker realises that all he/she has to do is overflow a larger
buffer.
I think I will opt for patching the source so that is does some sort of bound
check on the buffer. At least until NCSA provides an official fix.
- Warren
A Warren Pratten, Small Computer Support email: warren@csd.uwo.ca
Department of Computer Science voice: +1 519 679 2111 x6880
The University of Western Ontario fax: +1 519 661 3515
London Ontario CANADA N6A 5B7 www: http://www.csd.uwo.ca/staff/warren
