[419] in WWW Security List Archive
Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
daemon@ATHENA.MIT.EDU (Dr. Wayne E. Fordyce)
Mon Feb 20 17:36:17 1995
To: www-security@ns2.rutgers.edu
In-Reply-To: Your message of "Thu, 16 Feb 1995 04:34:29 CST."
<9502161034.AA06279@void.ncsa.uiuc.edu>
Date: Mon, 20 Feb 1995 13:23:22 -0500
From: "Dr. Wayne E. Fordyce" <wfordyce@mailbox.syr.edu>
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> On Feb 15, 22:09, Mike Muuss wrote:
> | --- Subject: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
> |
> | A Warren Pratten wrote -
> |
> | > -> Until official patches are available from NCSA, CIAC recommends the following
> | > -> temporary fix be installed. In the file httpd.h, change the string length
> | > -> definitions from:
> | > ->
> | > -> /* The default string lengths */
> | > -> #define MAX_STRING_LEN 256
> | > -> #define HUGE_STRING_LEN 8192
> | > ->
> | > -> to:
> | > ->
> | > -> /* The default string lengths */
> | > -> #define HUGE_STRING_LEN 8192
> | > -> #define MAX_STRING_LEN HUGE_STRING_LEN
> | > ->
> | > -> Then rebuild, install, and restart the new httpd server.
> | >
[ deletions ]
> A better patch, which performs the functionality of substrfirst
> (i.e. copy src followed by dest[start] into dest) without the use
> of a temporary buffer follows:
>
> *** util.c.bak Sat May 7 21:47:15 1994
> --- util.c Thu Feb 16 04:17:07 1995
> ***************
> *** 158,168 ****
>
> void strsubfirst(int start,char *dest, char *src)
> {
> ! char tmp[MAX_STRING_LEN];
>
> ! strcpy(tmp,&dest[start]);
> ! strcpy(dest,src);
> ! strcpy(&dest[strlen(src)],tmp);
> }
>
> /*
> --- 158,174 ----
>
> void strsubfirst(int start,char *dest, char *src)
> {
> ! int src_len, dest_len, i;
>
> ! if ((src_len=strlen(src))<start){ /** src "fits" in dest **/
> ! for (i=0;dest[i]=src[i];i++);
> ! for (i=src_len;dest[i]=dest[i-src_len+start];i++);
> ! }
> ! else { /** src doesn't fit in dest **/
> ! for (dest_len=strlen(dest),i=dest_len+src_len-start;i>=src_len;i--)
> ! dest[i] = dest[i-src_len+start];
> ! for (i=0;i<src_len;i++) dest[i]=src[i];
> ! }
> }
>
> /*
>
>
> Please apply this patch, recompile httpd, kill the current running process
> and restart the new httpd. In the following two days, we will be updating
> our FTP server with this new source code and binaries for different systems.
> Thanks for reporting these security holes,
>
> - Carlos.
I'm confused here. CERT just sent out an advisory saying to install both of
the above patches, not just Carlos'.
What's the deal here?
---------------------------------------------------------------------
Wayne Fordyce wfordyce@mailbox.syr.edu
Information Systems wfordyce@syr.edu
Computing & Media Services
Syracuse University, Syracuse NY 13244-5300 315-443-2682
---------------------------------------------------------------------
