[23811] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Details on the updated namazu packages that are available

daemon@ATHENA.MIT.EDU (NOKUBI Takatsugu)
Thu Jan 10 23:37:28 2002

Message-Id: <200201110108.KAA12823@ns1.eal.or.jp>
To: bugtraq@securityfocus.com
Cc: dotslash@snosoft.com, namazu-devel-ja@namazu.org,
        namazu-devel-en@namazu.org
In-Reply-To: Your message of "Wed, 09 Jan 2002 18:15:10 -0500".
	<3C3CCEFE.6080501@snosoft.com>
From: knok@daionet.gr.jp (NOKUBI Takatsugu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Date: Fri, 11 Jan 2002 10:07:52 JST

In article <3C3CCEFE.6080501@snosoft.com>
dotslash@snosoft.com writes:

>> Doh! Looks like I slept on this one too long... heres some of my 
>> personal notes on exploiting this issue. Have fun.

Thanks for your report.

>> Here is my research on the above issues:
>> There are several buffer overflows in the QUERY_STRING options
>> Unfortunately the check in namazu.h screws us...

Yes, I had recognized it. So there is a notice about it as the
follwing;

libnamazu.h:
enum {
    /* Size of general buffers. This MUST be larger than QUERY_MAX */
    BUFSIZE = 1024,        

    QUERY_TOKEN_MAX =  32, /* Max number of tokens in the query. */
    QUERY_MAX       = 256, /* Max length of the query. */

    INDEX_MAX = 64        /* Max number of databases */
};

.. Oops, it is only QUERY_MAX, not mentioned about
CGI_QUERY_MAX. I'll fix it.

>> In other words unless you have modified namazu then you are not vuln.
>> Now we can exploit this via the command line as a side note ... although 
>> its not suid...
>> [root@linuxppc src]# ./namazu querystring `perl -e 'print "A" x 1024'`
>> Results:
>> 
>> References:  [  (can't open the index)  ]
>> 
>> No document matching your query.
>> Aborted (core dumped)

CGI program (namazu.cgi) and command-line programm (namazu) is
separated, and command-line program is prohibited to invoke as
CGI. Therefore I think it is not so serious.

At all events, I'll fix it in next release. Thanks.
-- 
NOKUBI Takatsugu
E-mail: knok@daionet.gr.jp
	knok@namazu.org / knok@debian.org

home help back first fref pref prev next nref lref last post