|
|
BugTraq
local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Oct 29 2004 05:56PM Larry Cashdollar (lwc vapid ath cx) (3 replies) Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Nov 01 2004 03:55PM Henning Brauer (henning openbsd org) Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Oct 29 2004 09:34PM Michael Engert (michi bello engert org) |
|
Privacy Statement |
> This was posted on the full-disclosure list sept 16 2004 by
> Luiz Fernando.
>
> http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html
>
> The nessus check for this vulnerability recommends upgrading to
> Apache version 1.3.32:
>
> http://cgi.nessus.org/plugins/dump.php3?id=14771
>
> But in Apache 1.3.33:
>
> lachoy# grep strcpy /install/src/apache_1.3.33/src/support/htpasswd.c
> strcpy(record, user);
> strcpy(pwfilename, argv[i]);
> strcpy(user, argv[i + 1]);
> strcpy(password, argv[i + 2]);
> strcpy(scratch, line);
>
> It is still vulnerable.
If you start htpasswd from a shell and you exploit some kind of buffer
overflow, you get ... a shell?. Wow!
Whoever runs htpasswd setuid is darn silly. The httpd developers, the docs and
commonsense tell, that the program is just not designed for such an intention.
Or in other words, take any program that's not designed for being run setuid
and you'll find a "vulnerability" (e.g. with malloc debug environment
variables or the like).
Sorry, I can't see a security vulnerability here.
nd
--
> [...] weiß jemand zufällig, was der Tag DIV ausgeschrieben bedeutet?
DIVerses. Benannt nach all dem unstrukturierten Zeug, was die Leute da
so reinpacken und dann absolut positionieren ...
-- Florian Hartig und Lars Kasper in dciwam
[ reply ]