[Full-Disclosure] Re: [SECURITY] [DSA 523-1] New www-sql packages fix buffer overflow
From: Ulf Härnhammar (Ulf.Harnhammar.9485_at_student.uu.se)
Date: 06/20/04
- Previous message: Steffen Schumacher: "Re: [Full-Disclosure] Spam Solution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Sun, 20 Jun 2004 23:03:04 +0200
www-sql has an include command, allowing programs written in www-sql
to include files. The buffer overflow occurs when an include command
in a web page has a too long path, either one that is hardcoded or
one that is stored in a variable. The buffer overflow is stack-based
and gives you control over EIP.
In the special case where the include command uses a parameter
controlled by the web page's visitors (by form data or otherwise),
the overflow can be exploited remotely. Otherwise it is a local
privilege escalation.
I have attached a patch (against version 0.5.7) and a sample
web page.
// Ulf Harnhammar
Debian Security Audit Project
http://www.debian.org/security/audit/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- text/x-sql attachment: test.sql
- text/x-patch attachment: www-sql.patch
- Previous message: Steffen Schumacher: "Re: [Full-Disclosure] Spam Solution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
