[397] in WWW Security List Archive
Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
daemon@ATHENA.MIT.EDU (Mike Muuss)
Thu Feb 16 01:26:15 1995
Date: Wed, 15 Feb 95 22:09:37 EST
From: Mike Muuss <mike@arl.mil>
To: www-security@ns2.rutgers.edu
cc: httpd@ncsa.uiuc.edu
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
A Warren Pratten wrote -
> -> Until official patches are available from NCSA, CIAC recommends the following
> -> temporary fix be installed. In the file httpd.h, change the string length
> -> definitions from:
> ->
> -> /* The default string lengths */
> -> #define MAX_STRING_LEN 256
> -> #define HUGE_STRING_LEN 8192
> ->
> -> to:
> ->
> -> /* The default string lengths */
> -> #define HUGE_STRING_LEN 8192
> -> #define MAX_STRING_LEN HUGE_STRING_LEN
> ->
> -> Then rebuild, install, and restart the new httpd server.
>
> This is a pathetic fix. Sure it will solve the problem for a short time until
> a clever hacker realises that all he/she has to do is overflow a larger
> buffer.
The quick fix that I applied is as follows:
*** util.c.SECURITY_BUG Sat May 7 22:47:15 1994
--- util.c Tue Feb 14 03:54:27 1995
***************
*** 160,166 ****
{
char tmp[MAX_STRING_LEN];
! strcpy(tmp,&dest[start]);
strcpy(dest,src);
strcpy(&dest[strlen(src)],tmp);
}
--- 160,168 ----
{
char tmp[MAX_STRING_LEN];
! /* strcpy(tmp,&dest[start]); */ /* MJM - ARL: security bug */
! strncpy(tmp,&dest[start], sizeof(tmp)-1);
! tmp[MAX_STRING_LEN-1] = '\0'; /* MJM - ARL */
strcpy(dest,src);
strcpy(&dest[strlen(src)],tmp);
}
Best,
-Mike
