Multiple vulnerabilities in atphttpd-0.4b

2002-07-13T00:00:00
ID SECURITYVULNS:DOC:3209
Type securityvulns
Reporter Securityvulns
Modified 2002-07-13T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

            QITEST1 SECURITY ADVISORY #004

Multiple vulnerabilities in atphttpd-0.4b

PROGRAM DESCRIPTION atphttpd is a caching, tiny - and buggy - webserver written by Yann Ramin <atrus@atrustrivalie.eu.org>.

DETAILS There are several remotely exploitable flaws in the source code: regular buffer overflows and an off-by-one buffer overflow. An attacker would gain privileges of the user running atphttpd.

SOLUTION Author was contacted, but he was not reachable. The following patch should fix these bugs.

==8< atphttpd-0.4b.patch 8<== diff -u atphttpd-0.4b-old/atphttpd/http_handler.c atphttpd-0.4b/atphttpd/http_handler.c - --- atphttpd-0.4b-old/atphttpd/http_handler.c Sat Apr 22 05:05:57 2000 +++ atphttpd-0.4b/atphttpd/http_handler.c Fri Jul 12 13:20:16 2002 @@ -235,7 +235,7 @@ (void) sprintf(buffer, "<HTML><HEAD><TITLE>%d %s</TITLE></HEAD>\n<BODY><H2>%d %s</H2>\n", status, title, status, title ); sock_puts(hc[listnum].socket, buffer);

    • (void) sprintf(buffer, "The following error occurred while trying to examine the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text );
  • snprintf(buffer, sizeof(buffer), "The following error occurred while trying to examine the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text); sock_puts(hc[listnum].socket, buffer);

    (void) sprintf(buffer, "<HR>\n<ADDRESS>This cool page was automaticly generated by the trained rodents living inside the <A HREF=\"%s\">%s</A> webserver.</ADDRESS>\n</BODY></HTML>\n", SERVER_URL, SERVER_NAME ); diff -u atphttpd-0.4b-old/atphttpd/main.c atphttpd-0.4b/atphttpd/main.c - --- atphttpd-0.4b-old/atphttpd/main.c Sat Apr 22 05:06:00 2000 +++ atphttpd-0.4b/atphttpd/main.c Fri Jul 12 13:30:55 2002 @@ -141,13 +141,11 @@ } }

    • void deal_with_data(int listnum) {
    • char buffer[MAX_BUFFER]; / Buffer for socket reads /
  • -// char cur_char; / Used in processing buffer */
    • char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
  • -
    • if (sock_gets(hc[listnum].socket,buffer,MAX_BUFFER) < 0) { +void deal_with_data(int listnum) {
  • char buffer[MAX_BUFFER];
  • char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];

  • if (sock_gets(hc[listnum].socket, buffer, MAX_BUFFER - 1) < 0) { close(hc[listnum].socket); hc[listnum].socket = 0; } else { @@ -155,7 +153,7 @@ *
    * Right now it is very dumb, and only checks for a get header * * Improvements? */

    • sscanf( buffer, "%[^ ] %[^ ] %[^ ]", method, path, protocol );
  • sscanf(buffer, "%1023s %1023s %1023s", method, path, protocol); if ( strcasecmp( method, "get" ) == 0 || strcasecmp( method, "head" ) == 0) {

strcpy(hc[listnum].path, path);

==8< atphttpd-0.4b.patch 8<==

-- ------------------------------------------- ---- q1-- ---------------------------------------- -- ------------------------------------------- Web: http://bespin.org/~qitest1 GPG public key: http://bespin.org/~qitest1/qitest1.gpg.key - --------------------------------------------------------

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

iD8DBQE9LtQ/IrsshIyVmPkRAvrcAJ4pmxndYZKUhhz8kgTyY3gJ1gvoWQCgk3mh pnhu3Y3K7gzgiroXxvvjKF4= =cnA0 -----END PGP SIGNATURE-----