Synopsis: Apache 1.3.37 htpasswd buffer overflow vulnerability Version: 1.3.37 (latest 1.3.xx)
Product ======= Apache htpasswd utility Issue ===== A buffer overflow vilnerability has been found, it is dangerous only on environment where the binary is suid root. Details ======= Incorrect validation on the size of user input allows to copy a string, via strcpy, to a fixed size buffer. File: htpasswd.c, Line 421. Solution ======== Apply this patch to htpasswd.c -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-- 415,419c415,420 < if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { < fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], < (unsigned long)(sizeof(user) - 1)); < return ERR_OVERFLOW; < } --- > } > if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { > fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], > (unsigned long)(sizeof(user) - 1)); > return ERR_OVERFLOW; > --->8----->8----->8----->8----->8----->8----->8----->8----->8----->8----->8----- Affected Versions ================== 1.3.37 - http://www.apache.org/dist/httpd/apache_1.3.37.tar.gz Notes & References ================== Another similar bug was discovered by Luiz Fernando [1], a patch was written by Larry Cashdollar wich also fixed the bug i'm posting, but it seems not to be applied on the latest versions of apache 1.3.xx. Michael Engert submitted another patch[1] which also fixed this bug and filled out a bug report [1], but it wasn't applied. Have a look at Other posts[3][4] on this (and similar) issues. A bug report[5] on this issue was filled out. Credits ======= Matias S. Soler - gnuler [at] gmail [dot] com Luiz Fernando Michael Engert 1 - http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html 2 - http://issues.apache.org/bugzilla/show_bug.cgi?id=31975 3 - http://seclists.org/bugtraq/2004/Oct/0359.html 4 - http://www.security-express.com/archives/fulldisclosure/2004-10/1117.html 5 - http://issues.apache.org/bugzilla/show_bug.cgi?id=41279 -- Matias S. Soler
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/