[5258] in bugtraq
Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules
daemon@ATHENA.MIT.EDU (Marc Slemko)
Fri Sep 5 13:43:32 1997
Date: Fri, 5 Sep 1997 09:53:28 -0600
Reply-To: Marc Slemko <marcs@ZNEP.COM>
From: Marc Slemko <marcs@ZNEP.COM>
X-To: Matt Conover <shok@COBRA.ONLINEX.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.93.970904212504.13951A-100000@cobra.onlinex.net>
On Thu, 4 Sep 1997, Matt Conover wrote:
> Hello (sorry if this gets long or if it's known but I don't think it is):
>
> Well this is an obvious overflow in one of apache's modules; it is
> remote too.....however, luckily for the web admin's it's not installed
> by default. The problem is in mod_auth_anon.c in the function
> anon_authenticate_basic_user(). It contains the following lines:
>
> char errstr[MAX_STRING_LEN];
> [...]
> if (sec->auth_anon_logemail) {
> sprintf(errstr,"Anonymous: Passwd <%s> Accepted",
> send_pw ? send_pw : "\'none\'");
> [...]
> } else {
> if (sec->auth_anon_authorative) {
> sprintf(errstr,"Anonymous: Authorative, Passwd <%s> not accepted",
> send_pw ? send_pw : "\'none\'");
> [...]
>
Yes, that is correct. It is bad code. You will note, however that input
lines are limited to MAX_STRING_LEN as well (couldn't be HUGE_STRING_LEN,
but they are the same) so you would have trouble inputting a password long
enough to cause problems. There is a _LOT_ of code in Apache 1.1 that
works on this tacit assumption. That is a bad thing, but most of it is
not exploitable.
In Apache 1.2, a full review of the source was done, and hundreds of
possible buffer overflows were fixed; very few could cause any real
damange. We added our own ap_snprintf() (borrowed from other code) and
changed nearly every sprintf to ap_snprintf in addition to fixing other
possible overflows.
--
Marc Slemko | Apache team member
marcs@znep.com | marc@apache.org