You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/08/11 13:49:05 UTC
DO NOT REPLY [Bug 30586] New: -
Apache htdbm utility buffer overflows/format strings
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30586>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30586
Apache htdbm utility buffer overflows/format strings
Summary: Apache htdbm utility buffer overflows/format strings
Product: Apache httpd-2.0
Version: 2.0.50
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Other
Component: support
AssignedTo: bugs@httpd.apache.org
ReportedBy: sitic@pts.se
(Initially reported as SITIC Vulnerability Advisory SA04-004, redefined as bug
after discussion with ASF httpd security team)
Apache's htdbm utility suffers from various buffer overflows and potential
format string bugs when listing or verifying database contents. This could be
an issue when several system administrators handle the same Apache
installation. Administrator A could store malicious data in a database and
Administrator B could list or verify that database, causing actions to be
carried out in Administrator B's name.
This bug was discovered by Ulf Harnhammar for SITIC, Swedish IT
Incident Centre.
The included patch is our attempt at correcting this issue:
--- support/htdbm.c 2004-03-30 01:07:46.000000000 +0200
+++ support/htdbm.c.ulf 2004-08-02 13:14:52.000000000 +0200
@@ -225,6 +225,8 @@
if (apr_dbm_fetch(htdbm->dbm, key, &val) != APR_SUCCESS)
return APR_ENOENT;
rec = apr_pstrndup(htdbm->pool, val.dptr, val.dsize);
+ if (strlen(rec) > MAX_STRING_LEN)
+ return APR_EINVAL; /* buffer overflow */
cmnt = strchr(rec, ';');
if (cmnt)
strncpy(pwd, rec, cmnt - rec);
@@ -240,6 +242,7 @@
char *rec, *cmnt;
char kb[MAX_STRING_LEN];
int i = 0;
+ unsigned int copylen;
rv = apr_dbm_firstkey(htdbm->dbm, &key);
if (rv != APR_SUCCESS) {
@@ -256,14 +259,20 @@
fprintf(stderr, "Failed getting data from %s\n", htdbm->filename);
return APR_EGENERAL;
}
- strncpy(kb, key.dptr, key.dsize);
- kb[key.dsize] = '\0';
+ copylen = (key.dsize > sizeof(kb)) ?
+ sizeof(kb) :
+ key.dsize;
+ strncpy(kb, key.dptr, copylen);
+ kb[copylen] = '\0';
fprintf(stderr, " %-32s", kb);
- strncpy(rec, val.dptr, val.dsize);
- rec[val.dsize] = '\0';
+ copylen = (val.dsize > HUGE_STRING_LEN) ?
+ HUGE_STRING_LEN :
+ val.dsize;
+ strncpy(rec, val.dptr, copylen);
+ rec[copylen] = '\0';
cmnt = strchr(rec, ':');
if (cmnt)
- fprintf(stderr, cmnt + 1);
+ fprintf(stderr, "%s", cmnt + 1);
fprintf(stderr, "\n");
rv = apr_dbm_nextkey(htdbm->dbm, &key);
if (rv != APR_SUCCESS)
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org