Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_1

Bugtraq archives for 1st quarter (Jan-Mar) 1995: NCSA httpd 1.3

NCSA httpd 1.3

Kevin at Paranoia (kevintxparanoia.com)
Thu, 23 Feb 1995 10:22:18 -0600 (CST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: robert owen thomas: "Re: Sendmail 8.6.9 security hole"
Previous message: John Adams: "Re: snooper watchers"
Next in thread: Thomas Lopatic: "Re: NCSA httpd 1.3"

Following CERT's first suggestion on the NCSA httpd 1.3 crashed my WWW 
server!  The added 7936 bytes to MAX_STRING_LEN (in 154 instances) made 
each running httpd process about 100K larger and brought the server 
(which runs close to swapping anyway at busy times) crashing to its knees.

NCSA says that the util.c patch is enough to cover the vulnerability.  
(their details are at http://hoohoo.ncsa.uiuc.edu/docs/patch_desc.html)

The top of that page reads:

A vulnerability was recently discovered in the NCSA httpd.  A program 
which will break into an HP system running the precompiled httpd has been 
published, along with step by step instructions.

Three cheers for full disclosure.. it gets results.

kevin
-- 
  kevintxparanoia.com  |    "Ask me no questions, I'll tell you no lies."
 (System Administrator) | Paranoia offers low cost accounts to those in need.
 Finger for PGP 2.3 Key |  <a href="http://www.paranoia.com/">The Server</a>

Next message: robert owen thomas: "Re: Sendmail 8.6.9 security hole"
Previous message: John Adams: "Re: snooper watchers"
Next in thread: Thomas Lopatic: "Re: NCSA httpd 1.3"