[566] in WWW Security List Archive
NCSA httpd 1.3 vulnerability still unsolved? (And where to go to solve it?)
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Sun Apr 2 21:01:18 1995
From: riddle@is.rice.edu (Prentiss Riddle)
To: www-security@ns1.rutgers.edu
Date: Sun, 2 Apr 1995 15:23:16 -0500 (CDT)
Cc: lopatic@dbs.informatik.uni-muenchen.de, httpd@ncsa.uiuc.edu, timbl@w3.org,
cert@cert.org
Errors-To: owner-www-security@ns2.rutgers.edu
As far as I can tell, no clear consensus has yet been reached on the
proper response to the buffer overflow attack on NCSA httpd 1.3.
CERT advisory CA-95:04 (http://hoohoo.ncsa.uiuc.edu/docs/Cert.9504.txt)
recommends both increasing the MAX_STRING_LEN buffer size to 8192 and
applying NCSA's patch to strsubfirst(). The developers at NCSA
(http://hoohoo.ncsa.uiuc.edu/docs/patch_desc.html) recommend against
increasing the buffer size because it is extremely wasteful of memory.
As of early March the discoverer of the bug, Thomas Lopatic
(lopatic@dbs.informatik.uni-muenchen.de), expressed doubts that NCSA's
published patch solved the problem and had his own patch to suggest.
Has any consensus been reached, or are those of us without the time to
fully research the problem ourselves just supposed to guess based on
which of these three sources we feel is most trustworthy?
(And a meta-question: is the "www-security" mailing list an appropriate
forum in which to reach consensus on security problems in *existing*
WWW software, or just a place to hash out prospective security
protocols and their implementation as its recent traffic suggests? I
would argue that these may be two separate functions. Clearly there is
an urgent need for an unnoisy place where WWW developers and the
security community can put their heads together to solve
vulnerabilities in existing software. The newsgroups aren't fulfilling
this need, and possibly www-security isn't either. Maybe the W3
Consortium should sponsor a moderated forum for this purpose and
persuade WWW developers to give it their attention?)
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- Systems Programmer and RiceInfo Administrator, Rice University
-- 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
-- Opinions expressed are not necessarily those of my employer.
