UdmSearch version: 3.1.12
Platform:
OS:
Database:
Statistics:
Please close remote buffer overflow exploit causing attacker to gain shell access
under search.cgi user. Patch below. I am not sure I close _all_ places where internal
string can be overflowed with shell calling code writted to the stack.
--- src/search.c.old Wed Feb 28 15:28:10 2001
+++ src/search.c Thu Apr 19 18:02:10 2001
@@ -1269,7 +1269,8 @@
strcpy(template,env);
if((env=getenv(\"QUERY_STRING\"))){
- strcpy(query_string,env);
+ strncpy(query_string,env,UDMSTRSIZ-1);
+ query_string[UDMSTRSIZ-1] = \'\\0\';
if((env=getenv(\"REDIRECT_STATUS\"))){
/* Check Apache internal redirect */
@@ -1316,8 +1317,10 @@
/* or under server which do not */
/* pass an empty QUERY_STRING var */
- if(argv[1])
- sprintf(query_string,\"q=%s\",argv[1]);
+ if(argv[1]) {
+ strcpy(query_string, \"q=\");
+ strncat(query_string, argv[1], UDMSTRSIZ-1-2);
+ }
if(!template[0])
sprintf(template,\"%s/%s\", UDM_CONF_DIR,\"search.htm\");
}
___________________________________________
If you want to unsubscribe send "unsubscribe general"
to [EMAIL PROTECTED]
