[991] in bugtraq
Re: Vulnerability in NCSA HTTPD 1.3
daemon@ATHENA.MIT.EDU (Christopher Davis)
Tue Feb 14 14:23:23 1995
Date: Tue, 14 Feb 1995 11:18:00 -0500
From: Christopher Davis <ckd@loiosh.kei.com>
To: "Paul 'Shag' Walmsley" <ccshag@cclabs.missouri.edu>
Cc: Thomas Lopatic <lopatic@dbs.informatik.uni-muenchen.de>, bugtraq@fc.net
In-Reply-To: <Pine.SGI.3.91.950214002710.12040A-100000@sgi2.phlab.missouri.edu>
TL> == Thomas Lopatic <lopatic@dbs.informatik.uni-muenchen.de>
PW> == Paul 'Shag' Walmsley <ccshag@cclabs.missouri.edu>
TL> we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720,
TL> HP-UX 9.01) and I've found, that it can be tricked into executing
TL> shell commands.
TL> /* The problem is that the array 'tmp' in the function 'strsubfirst()' */
TL> /* has a length of MAX_STRING_LEN. However, the function can be passed */
TL> /* arguments with up to HUGE_STRING_LEN characters. */
PW> As Thomas implied, this particular problem can probably be fixed by
PW> changing line 161 of util.c from
PW> char tmp[MAX_STRING_LEN];
PW> to
PW> char tmp[HUGE_STRING_LEN];
PW> in NCSA's source. We're running with the HUGE_STRING_LEN tmp now
PW> with no (immediately apparent) bad side-effects (other than Thomas'
PW> hack not working any more ;)
I'd suggest changing it to HUGE_STRING_LEN+MAX_STRING_LEN, just to give
you some slack.
However, I don't think even that will necessarily solve the problem. A
quick pass over the sources show a *LOT* of strcat/strcpy calls to various
buffers, and *ONE* strncpy. Since they use static buffers all over the
place, this is a recipe for disaster; even if you fix this particular one,
there are probably half a dozen other places where the same sort of thing
could happen.
CERN's httpd seems to be a bit smarter about this sort of thing, but it's
SO huge that even if they have only 10% as many bugs per K, they're worse
than NCSA. (NCSA's src/* is 195K; CERN's WWW/Daemon/Implementation is
610K, plus WWW/Library/Implementation's 1406K(!).)
Plexus, being perl-based, should at least be immune to the string overflow
problem :-) but I haven't exhaustively looked it over yet.
I haven't looked at gn yet; the source is only 146K, though, so it's ahead
of NCSA in at least that category...
