[569] in WWW Security List Archive
Re: NCSA httpd 1.3 vulnerability still unsolved? (And where to go to solve it?)
daemon@ATHENA.MIT.EDU (Brian Behlendorf)
Mon Apr 3 21:32:15 1995
Date: Mon, 3 Apr 1995 14:06:37 -0800 (PST)
From: Brian Behlendorf <brian@wired.com>
To: Prentiss Riddle <riddle@is.rice.edu>
cc: www-security@ns1.rutgers.edu, lopatic@dbs.informatik.uni-muenchen.de,
httpd@ncsa.uiuc.edu, timbl@w3.org, cert@cert.org
In-Reply-To: <199504022023.PAA16819@is.rice.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Sun, 2 Apr 1995, Prentiss Riddle wrote:
> Has any consensus been reached, or are those of us without the time to
> fully research the problem ourselves just supposed to guess based on
> which of these three sources we feel is most trustworthy?
The problem was that there are *many* places in the 1.3 code where
strings are allowed to grow without bounds-checking. The forthcoming 1.4
fixes a very large number of these (possibly all, but I haven't looked
closely at 1.4's src enough to say "all").
If that's not good enough for you now, remember that the bug can only
really be exploited if you're using a binary that the attacker has access
to; thus, if you have modified your httpd at all and recompiled, or you
simply set MAX_STRING_LEN to be another number instead of
HUGE_STRING_LEN, you will probably be safe until 1.4.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com brian@hyperreal.com http://www.hotwired.com/Staff/brian/
