[23811] in bugtraq
Re: Details on the updated namazu packages that are available
daemon@ATHENA.MIT.EDU (NOKUBI Takatsugu)
Thu Jan 10 23:37:28 2002
Message-Id: <200201110108.KAA12823@ns1.eal.or.jp>
To: bugtraq@securityfocus.com
Cc: dotslash@snosoft.com, namazu-devel-ja@namazu.org,
namazu-devel-en@namazu.org
In-Reply-To: Your message of "Wed, 09 Jan 2002 18:15:10 -0500".
<3C3CCEFE.6080501@snosoft.com>
From: knok@daionet.gr.jp (NOKUBI Takatsugu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Date: Fri, 11 Jan 2002 10:07:52 JST
In article <3C3CCEFE.6080501@snosoft.com>
dotslash@snosoft.com writes:
>> Doh! Looks like I slept on this one too long... heres some of my
>> personal notes on exploiting this issue. Have fun.
Thanks for your report.
>> Here is my research on the above issues:
>> There are several buffer overflows in the QUERY_STRING options
>> Unfortunately the check in namazu.h screws us...
Yes, I had recognized it. So there is a notice about it as the
follwing;
libnamazu.h:
enum {
/* Size of general buffers. This MUST be larger than QUERY_MAX */
BUFSIZE = 1024,
QUERY_TOKEN_MAX = 32, /* Max number of tokens in the query. */
QUERY_MAX = 256, /* Max length of the query. */
INDEX_MAX = 64 /* Max number of databases */
};
.. Oops, it is only QUERY_MAX, not mentioned about
CGI_QUERY_MAX. I'll fix it.
>> In other words unless you have modified namazu then you are not vuln.
>> Now we can exploit this via the command line as a side note ... although
>> its not suid...
>> [root@linuxppc src]# ./namazu querystring `perl -e 'print "A" x 1024'`
>> Results:
>>
>> References: [ (can't open the index) ]
>>
>> No document matching your query.
>> Aborted (core dumped)
CGI program (namazu.cgi) and command-line programm (namazu) is
separated, and command-line program is prohibited to invoke as
CGI. Therefore I think it is not so serious.
At all events, I'll fix it in next release. Thanks.
--
NOKUBI Takatsugu
E-mail: knok@daionet.gr.jp
knok@namazu.org / knok@debian.org
