Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: D. (dugelyyahoo.com)
Date: Sun Jan 06 2002 - 23:11:45 CST
ANTI-WEB HTTPD OFFICIAL SECURITY ADVISORY
This is Doug Hoyte, head programmer of the Anti-Web
A recent advisory put out by methodic from AngryPacket
officially confirmed to be
valid, however DO NOT INSTALL THE PATCH ACCOMPANYING
It opens up a format string vulnerability in the code,
may be some stability issues involved also.
In discussion about this vulnerability with 3APA3A
and methodic, a few other problems were unearthed.
DESCRIPTION OF PROBLEMS
-A local DoS attack that can be carried out if the
attacker has write access
to an Anti-Web HTML tree. This is most common when
each user has personal
webspace on a server. See methodic's advisory for
-Another local DoS attack I discovered while
attack: Removing the F: from an AW script altogether
can cause AW to
escalate CPU usage. Again, the attacker needs write
access in an AW HTML tree.
-A potential heap overflow in the loading of the
script code, which could
result in a shell with UID/GID 32767 (by default).
Again, the attacker would
have to have write access in an AW HTML tree.
-A syslog() format string vulnerability. Fortunatley,
this is not exploitable
in any official versions of Anti-Web, but might've
posed problems in the
event of future code additions.
Download the new, patched version here:
CHANGELOG is here:
Alternatively, as mentioned by methodic, you could
the "#define NOSCRIPT" line in config.h. Note: In the
new version, you
would want to comment out "#define SCRIPTING".
Scripting is disabled by default in newer versions
I should also add that this new version HASN'T been
It's holding up alright for me, but there are dangling
the new SunOS port is still in beta.
WHO SHOULD GET THE NEW VERSION
If you're a sysadmin who is giving users personal
webspace in an Anti-Web
HTML tree, INSTALL THIS VERSION NOW!
If you're running a small, personal webserver with you
as the only user,
this version won't add much in terms of security, so
you may as well wait
for 2.3 to come out, or uncomment NOSCRIPT.
If you've extended the code yourself, and taken
advantage of the logthis()
function, your new code may be vulnerable, UPDATE NOW!
Having recently experienced a "GOBBLES" advisory, I
was a bit skeptical
about this advisory at first, but methodic did an
excellent research job
here. He also acted very courteosly in notifying me,
the head programmer.
3APA3A was also very helpful, unearthing other
problems with the code.
I'd also like to point out how well this issue
illustrates the difficulty
in writing completely bug free code. Even a patch
designed to close up
a security hole can end up opening another one. The
job of a programmer
is certainly no cakewalk.
methodic and 3APA3A for uncovering these
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!