[UNIX] Multiple Vulnerabilities in ATPhttpd
From: support@securiteam.comDate: 07/14/02
- Previous message: support@securiteam.com: "[NEWS] MacOS X SoftwareUpdate Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 14 Jul 2002 10:09:00 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Multiple Vulnerabilities in ATPhttpd
------------------------------------------------------------------------
SUMMARY
<http://www.redshift.com/~yramin/atp/atphttpd/> ATPhttpd is a tiny,
caching, high performance webserver, the product has been found to contain
multiple remotely exploitable security vulnerabilities.
DETAILS
Vulnerable systems:
* ATPhttpd version 0.4b
There are several remotely exploitable flaws in the source code, regular
buffer overflows, and an off-by-one buffer overflow. An attacker would be
able to gain higher privileges of the user running ATPhttpd by exploiting
these vulnerabilities.
Solution:
Author was contacted, but he was not reachable. The following patch should
fix these bugs.
atphttpd-0.4b.patch:
diff -u atphttpd-0.4b-old/atphttpd/http_handler.c
atphttpd-0.4b/atphttpd/http_handler.c
- --- atphttpd-0.4b-old/atphttpd/http_handler.c Sat Apr 22 05:05:57 2000
+++ atphttpd-0.4b/atphttpd/http_handler.c Fri Jul 12 13:20:16 2002
@@ -235,7 +235,7 @@
(void) sprintf(buffer, "<HTML><HEAD><TITLE>%d
%s</TITLE></HEAD>\n<BODY><H2>%d %s</H2>\n", status, title, status, title
);
sock_puts(hc[listnum].socket, buffer);
- - (void) sprintf(buffer, "The following error occurred while trying to
examine the garbage that you sent this poor webserver:
<br><b>%s</b><br><br>\n", text );
+ snprintf(buffer, sizeof(buffer), "The following error occurred while
trying to examine the garbage that you sent this poor webserver:
<br><b>%s</b><br><br>\n", text);
sock_puts(hc[listnum].socket, buffer);
(void) sprintf(buffer, "<HR>\n<ADDRESS>This cool page was automaticly
generated by the trained rodents living inside the <A HREF=\"%s\">%s</A>
webserver.</ADDRESS>\n</BODY></HTML>\n", SERVER_URL, SERVER_NAME );
diff -u atphttpd-0.4b-old/atphttpd/main.c atphttpd-0.4b/atphttpd/main.c
- --- atphttpd-0.4b-old/atphttpd/main.c Sat Apr 22 05:06:00 2000
+++ atphttpd-0.4b/atphttpd/main.c Fri Jul 12 13:30:55 2002
@@ -141,13 +141,11 @@
}
}
- - void deal_with_data(int listnum) {
- - char buffer[MAX_BUFFER]; /* Buffer for socket reads */
- -// char *cur_char; /* Used in processing buffer */
- - char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
- -
- - if (sock_gets(hc[listnum].socket,buffer,MAX_BUFFER) < 0) {
+void deal_with_data(int listnum) {
+ char buffer[MAX_BUFFER];
+ char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
+ if (sock_gets(hc[listnum].socket, buffer, MAX_BUFFER - 1) < 0) {
close(hc[listnum].socket);
hc[listnum].socket = 0;
} else {
@@ -155,7 +153,7 @@
* *
* Right now it is very dumb, and only checks for a get header *
* Improvements? */
- - sscanf( buffer, "%[^ ] %[^ ] %[^ ]", method, path, protocol );
+ sscanf(buffer, "%1023s %1023s %1023s", method, path, protocol);
if ( strcasecmp( method, "get" ) == 0 || strcasecmp(
method, "head" ) == 0) {
strcpy(hc[listnum].path, path);
ADDITIONAL INFORMATION
The information has been provided by <mailto:qitest1@bespin.org> qitest1.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] MacOS X SoftwareUpdate Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
