lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <47c0571c0701021220r6ad0169l4d0f9d70ffdd7653@mail.gmail.com>
Date: Tue, 2 Jan 2007 17:20:25 -0300
From: "Matias Soler" <gnuler@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Apache 1.3.37 htpasswd buffer overflow
	vulnerability

Synopsis: Apache 1.3.37 htpasswd buffer overflow vulnerability
Version: 1.3.37 (latest 1.3.xx)

Product
=======
Apache htpasswd utility

Issue
=====
A buffer overflow vilnerability has been found, it is dangerous only on
environment where the binary is suid root.

Details
=======
Incorrect validation on the size of user input allows to copy a string, via
strcpy, to a fixed size buffer.
File: htpasswd.c, Line 421.

Solution
========
Apply this patch to htpasswd.c

-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<--

  415,419c415,420
  <       if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
  <           fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
  <                   (unsigned long)(sizeof(user) - 1));
  <           return ERR_OVERFLOW;
  <       }
  ---
  >     }
  >     if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
  >       fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
  >       (unsigned long)(sizeof(user) - 1));
  >       return ERR_OVERFLOW;
  >
--->8----->8----->8----->8----->8----->8----->8----->8----->8----->8----->8-----

Affected Versions
==================
1.3.37 - http://www.apache.org/dist/httpd/apache_1.3.37.tar.gz

Notes & References
==================
Another similar bug was discovered by Luiz Fernando [1], a patch was written

by  Larry Cashdollar wich also fixed the bug i'm posting, but it seems not
to be
 applied on the latest versions of apache 1.3.xx.

Michael Engert submitted another patch[1] which also fixed this bug and
filled
out a bug report [1], but it wasn't applied.

Have a look at Other posts[3][4] on this (and similar) issues.

A bug report[5] on this issue was filled out.

Credits
=======
Matias S. Soler - gnuler [at] gmail [dot] com
Luiz Fernando
Michael Engert


1 - http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html
2 - http://issues.apache.org/bugzilla/show_bug.cgi?id=31975
3 - http://seclists.org/bugtraq/2004/Oct/0359.html
4 -
http://www.security-express.com/archives/fulldisclosure/2004-10/1117.html
5 - http://issues.apache.org/bugzilla/show_bug.cgi?id=41279

-- 
Matias S. Soler

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ