[987] in bugtraq
Re: Vulnerability in NCSA HTTPD 1.3
daemon@ATHENA.MIT.EDU (Paul 'Shag' Walmsley)
Tue Feb 14 03:01:43 1995
Date: Tue, 14 Feb 1995 00:33:05 -0600 (CST)
From: "Paul 'Shag' Walmsley" <ccshag@cclabs.missouri.edu>
To: Thomas Lopatic <lopatic@dbs.informatik.uni-muenchen.de>
Cc: bugtraq@fc.net
In-Reply-To: <199502132138.WAA11587@lionsden.informatik.uni-muenchen.de>
On Mon, 13 Feb 1995, Thomas Lopatic wrote:
> Hello there,
>
> we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, HP-UX 9.01)
> and I've found, that it can be tricked into executing shell commands.
...
> /* The problem is that the array 'tmp' in the function 'strsubfirst()' */
> /* has a length of MAX_STRING_LEN. However, the function can be passed */
> /* arguments with up to HUGE_STRING_LEN characters. */
As Thomas implied, this particular problem can probably be fixed by
changing line 161 of util.c from
char tmp[MAX_STRING_LEN];
to
char tmp[HUGE_STRING_LEN];
in NCSA's source. We're running with the HUGE_STRING_LEN tmp now with no
(immediately apparent) bad side-effects (other than Thomas' hack not working
any more ;)
> --
> Thomas Lopatic lopatic@informatik.uni-muenchen.de
>
- Paul "Shag" Walmsley <ccshag@cclabs.missouri.edu>
"I'll drink a toast to bold evolution any day!"
