[1056] in bugtraq
NCSA httpd 1.3
daemon@ATHENA.MIT.EDU (Kevin at Paranoia)
Thu Feb 23 13:49:25 1995
From: kevintx@paranoia.com (Kevin at Paranoia)
To: bugtraq@fc.net
Date: Thu, 23 Feb 1995 10:22:18 -0600 (CST)
Following CERT's first suggestion on the NCSA httpd 1.3 crashed my WWW
server! The added 7936 bytes to MAX_STRING_LEN (in 154 instances) made
each running httpd process about 100K larger and brought the server
(which runs close to swapping anyway at busy times) crashing to its knees.
NCSA says that the util.c patch is enough to cover the vulnerability.
(their details are at http://hoohoo.ncsa.uiuc.edu/docs/patch_desc.html)
The top of that page reads:
A vulnerability was recently discovered in the NCSA httpd. A program
which will break into an HP system running the precompiled httpd has been
published, along with step by step instructions.
Three cheers for full disclosure.. it gets results.
kevin
--
kevintx@paranoia.com | "Ask me no questions, I'll tell you no lies."
(System Administrator) | Paranoia offers low cost accounts to those in need.
Finger for PGP 2.3 Key | <a href="http://www.paranoia.com/">The Server</a>
