mnoGoSearch search.cgi Long Parameter Overflow

2004-04-08T23:13:54
ID OSVDB:5084
Type osvdb
Reporter qitest1(qitest1@bespin.org)
Modified 2004-04-08T23:13:54

Description

Vulnerability Description

A remote overflow exists in mnoGoSearch 3.1.19 and earlier. mnoGoSearch fails to check the length of query string resulting in a heap-based overflow. With a specially crafted request, an attacker can cause buffer overflow resulting in execusion of code with webserver privileges.

Solution Description

Upgrade to version 3.1.20 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):

-- ---- q1-- http://qitest1.0xfee1dead.net/ --

--- src/search.c Tue Jun 26 10:55:17 2001 +++ src/search.c Wed May 8 15:17:12 2002 @@ -1403,6 +1403,13 @@ / if(!UDM_STRNCMP(token,"q=")){ char str[UDMSTRSIZ]=""; + / Really temporary security fix / + if(strlen(token) > 512) + { + printf("<html><body>Query string too long</body></html>\n"); + exit(1); + } + / q1-- */ query_words=strdup(UdmUnescapeCGIQuery(str,token+2)); query_url_escaped=strdup(UdmEscapeURL(str,query_words)); query_form_escaped=UdmHtmlSpecialChars(query_words);

Short Description

A remote overflow exists in mnoGoSearch 3.1.19 and earlier. mnoGoSearch fails to check the length of query string resulting in a heap-based overflow. With a specially crafted request, an attacker can cause buffer overflow resulting in execusion of code with webserver privileges.

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-05/0092.html Keyword: mnoGoSearch Keyword: seach.cgi Keyword: overflow Keyword: query string ISS X-Force ID: 9060 CVE-2002-0789 Bugtraq ID: 4724