In article <3C3CCEFE.6080501@snosoft.com> dotslash@snosoft.com writes: >> Doh! Looks like I slept on this one too long... heres some of my >> personal notes on exploiting this issue. Have fun. Thanks for your report. >> Here is my research on the above issues: >> There are several buffer overflows in the QUERY_STRING options >> Unfortunately the check in namazu.h screws us... Yes, I had recognized it. So there is a notice about it as the follwing; libnamazu.h: enum { /* Size of general buffers. This MUST be larger than QUERY_MAX */ BUFSIZE = 1024, QUERY_TOKEN_MAX = 32, /* Max number of tokens in the query. */ QUERY_MAX = 256, /* Max length of the query. */ INDEX_MAX = 64 /* Max number of databases */ }; .. Oops, it is only QUERY_MAX, not mentioned about CGI_QUERY_MAX. I'll fix it. >> In other words unless you have modified namazu then you are not vuln. >> Now we can exploit this via the command line as a side note ... although >> its not suid... >> [root@linuxppc src]# ./namazu querystring `perl -e 'print "A" x 1024'` >> Results: >> >> References: [ (can't open the index) ] >> >> No document matching your query. >> Aborted (core dumped) CGI program (namazu.cgi) and command-line programm (namazu) is separated, and command-line program is prohibited to invoke as CGI. Therefore I think it is not so serious. At all events, I'll fix it in next release. Thanks. -- NOKUBI Takatsugu E-mail: knok@daionet.gr.jp knok@namazu.org / knok@debian.org
