Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1995: ANOTHER hole in NCSA httpd1.3R

ANOTHER hole in NCSA httpd1.3R

Paul Phillips (paulpCERF.NET)
Tue, 11 Apr 1995 23:49:39 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Scott Barman: "Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox)"
Previous message: shedgescactus.netinterior.com: "Sys V."

Looks like I posted too fast, I just found another hole in httpd.

In http_access.c, function evalute_access:

    if(S_ISDIR(finfo->st_mode)) strcpy_dir(path,p);
    else strcpy(path,p);

The second strcpy is copying a filename (again, potentially 8192 characters)
into a local buffer (256 characters.)

Some scary info:

{nic} grep strcpy *.c | wc -l
    123
{nic} grep sprintf *.c |wc -l
     51

There are more holes here, folks.

--
Paul Phillips
paulpcerf.net

Next message: Scott Barman: "Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox)"
Previous message: shedgescactus.netinterior.com: "Sys V."