[573] in WWW Security List Archive
Re: NCSA httpd 1.3 vulnerability still unsolved? (And where to go to solve it?)
daemon@ATHENA.MIT.EDU (robert@cogsci.ed.ac.uk)
Tue Apr 4 11:55:05 1995
From: robert@cogsci.ed.ac.uk
Date: Tue, 4 Apr 95 12:46:14 BST
To: psphilli@sdcc8.UCSD.EDU
Cc: www-security@ns1.rutgers.edu
In-Reply-To: <Pine.3.89.9504032152.A27494-0100000@sdcc8.ucsd.edu> (message from Paul Phillips on Mon, 3 Apr 1995 21:38:43 -0700 (PDT))
Errors-To: owner-www-security@ns2.rutgers.edu
I've seen a number of postings discussing the status of a bug
with NCSA's httpd 1.3.
Pardon a very basic question, but what are the consequences of this bug?
I gather that there are fixed-length strings within the server that can be
set by a client, and that the length of the values supplied by the client
is not checked.
I assume that if the string from the client is too long, it will
overflow other data, and possibly even executable. This is a Bad Thing,
but just HOW bad?
The most likely consequence would seem to be that the demon would crash.
Would this disable the site, or only abort the offending request?
The worst case would seem to be that the client can overwrite the executing
code of httpd with code of its own, which would then be executed on the
host. But with what priveleges? Root, or ``nobody''.
In other words, if all the permissions on my system are set up right,
so that ``nobody'' cannot do any damage, should I be bothered?
Robert.
--------------------------------------------------------------------------
Robert Inder HCRC, 2, Buccleuch Place, Edinburgh EH8 9LW Scotland
http://www.cogsci.ed.ac.uk/hcrc/home.html
--------------------------------------------------------------------------
Imminent death of the Net predicted due to Mosaic traffic overload...
For details, see http://www-server12.nat-enq.com:www12/news18/article354426
