[1452] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

ANOTHER hole in NCSA httpd1.3R

daemon@ATHENA.MIT.EDU (Paul Phillips)
Wed Apr 12 13:24:58 1995

Date: Tue, 11 Apr 1995 23:49:39 -0700
From: Paul Phillips <paulp@CERF.NET>
Cc: bugtraq@fc.net, www-security@ns1.rutgers.edu

Looks like I posted too fast, I just found another hole in httpd.

In http_access.c, function evalute_access:

    if(S_ISDIR(finfo->st_mode)) strcpy_dir(path,p);
    else strcpy(path,p);

The second strcpy is copying a filename (again, potentially 8192 characters)
into a local buffer (256 characters.)

Some scary info:

{nic} grep strcpy *.c | wc -l
    123
{nic} grep sprintf *.c |wc -l
     51

There are more holes here, folks.

--
Paul Phillips
paulp@cerf.net


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[1452] in bugtraq

ANOTHER hole in NCSA httpd1.3R

daemon@ATHENA.MIT.EDU (Paul Phillips)Wed Apr 12 13:24:58 1995

daemon@ATHENA.MIT.EDU (Paul Phillips)
Wed Apr 12 13:24:58 1995