You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Robert Brockway <rb...@fscinternet.com> on 2003/06/19 18:33:48 UTC

[users@httpd] Old apache exploit - Security Focus ID 5993

Hi all.  I'm going through some old exploits at the moment (don't ask :)
and came across this one.

Security Focus ID 5993 is a Buffer Overflow in HTDigest in apache 1.3.

According to security focus (http://www.securityfocus.com/bid/5993) , all
versions up to _and including_ 1.3.27 are vulnerable.  Now it isn't
uncommon for SF to get a few details wrong, or to not update the exploit
when a patch comes out, but I've RTFMed on this and found only the same
information repeated.

Additionally the vulnerability hasn't been issued a CVE or even a CAN
entry as far as I can tell.

Do the apache gurus out there have any comment on this - perhaps Security
Focus was smoking something when they posted this vulnerability :)  Ie, is
this really a vulnerability, and if so, is 1.3.27 really affected?

TIA.

Rob

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Old apache exploit - Security Focus ID 5993

Posted by Joshua Slive <jo...@slive.ca>.

On Thu, 19 Jun 2003, Robert Brockway wrote:

> Hi all.  I'm going through some old exploits at the moment (don't ask :)
> and came across this one.
>
> Security Focus ID 5993 is a Buffer Overflow in HTDigest in apache 1.3.
>
> According to security focus (http://www.securityfocus.com/bid/5993) , all
> versions up to _and including_ 1.3.27 are vulnerable.  Now it isn't
> uncommon for SF to get a few details wrong, or to not update the exploit
> when a patch comes out, but I've RTFMed on this and found only the same
> information repeated.

>From here:
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/support/htdigest.c
You can tell that the version with the fix has not yet been released.

But this is really not a very serious problem.  It would only be
exploitable if htdigest were to be called from a cgi script which is
1) rather a difficult thing to accomplish since it calls getpass, and 2)
not advisable for several other reasons.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org