[Full-Disclosure] Re: [SECURITY] [DSA 523-1] New www-sql packages fix buffer overflow

From: Ulf Härnhammar (Ulf.Harnhammar.9485_at_student.uu.se)
Date: 06/20/04

  • Next message: Michael Gale: "Re: [Full-Disclosure] M$ Getting Better?"
    To: full-disclosure@lists.netsys.com
    Date: Sun, 20 Jun 2004 23:03:04 +0200

    www-sql has an include command, allowing programs written in www-sql
    to include files. The buffer overflow occurs when an include command
    in a web page has a too long path, either one that is hardcoded or
    one that is stored in a variable. The buffer overflow is stack-based
    and gives you control over EIP.

    In the special case where the include command uses a parameter
    controlled by the web page's visitors (by form data or otherwise),
    the overflow can be exploited remotely. Otherwise it is a local
    privilege escalation.

    I have attached a patch (against version 0.5.7) and a sample
    web page.

    // Ulf Harnhammar
       Debian Security Audit Project


    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Michael Gale: "Re: [Full-Disclosure] M$ Getting Better?"