You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Robert Brockway <rb...@fscinternet.com> on 2003/06/19 18:33:48 UTC
[users@httpd] Old apache exploit - Security Focus ID 5993
Hi all. I'm going through some old exploits at the moment (don't ask :)
and came across this one.
Security Focus ID 5993 is a Buffer Overflow in HTDigest in apache 1.3.
According to security focus (http://www.securityfocus.com/bid/5993) , all
versions up to _and including_ 1.3.27 are vulnerable. Now it isn't
uncommon for SF to get a few details wrong, or to not update the exploit
when a patch comes out, but I've RTFMed on this and found only the same
information repeated.
Additionally the vulnerability hasn't been issued a CVE or even a CAN
entry as far as I can tell.
Do the apache gurus out there have any comment on this - perhaps Security
Focus was smoking something when they posted this vulnerability :) Ie, is
this really a vulnerability, and if so, is 1.3.27 really affected?
TIA.
Rob
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Old apache exploit - Security Focus ID 5993
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 19 Jun 2003, Robert Brockway wrote:
> Hi all. I'm going through some old exploits at the moment (don't ask :)
> and came across this one.
>
> Security Focus ID 5993 is a Buffer Overflow in HTDigest in apache 1.3.
>
> According to security focus (http://www.securityfocus.com/bid/5993) , all
> versions up to _and including_ 1.3.27 are vulnerable. Now it isn't
> uncommon for SF to get a few details wrong, or to not update the exploit
> when a patch comes out, but I've RTFMed on this and found only the same
> information repeated.
>From here:
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/support/htdigest.c
You can tell that the version with the fix has not yet been released.
But this is really not a very serious problem. It would only be
exploitable if htdigest were to be called from a cgi script which is
1) rather a difficult thing to accomplish since it calls getpass, and 2)
not advisable for several other reasons.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org