qitest1 security advisory #003
Bug in mnogosearch-3.1.19 and prior
-----------------------------------------------
PROGRAM DESCRIPTION
mnoGoSearch is a full-featured SQL based web search engine,
available from http://www.mnogosearch.org.
PROBLEM DESCRIPTION
When receiving a too long query string (q var), search.cgi
segfaults (http://127.0.0.1/cgi-bin/search.cgi?q=query). The bug
resides in a bad management of heap-allocated memory. The bug could
be abused by remote attackers to execute code with web server
privileges.
SOLUTION
Authors were contacted a month ago: they told me that the cvs
version had been fixed. Nevertheless the stable version
recommended on their web site is still bugged. At the moment you
should disable search.cgi, use the stupid patch attached to this
advisory (for 3.1.19) or alternatively install last cvs version.
--
---- q1-- http://qitest1.0xfee1dead.net/
--
--- src/search.c Tue Jun 26 10:55:17 2001
+++ src/search.c Wed May 8 15:17:12 2002
@@ -1403,6 +1403,13 @@
*/
if(!UDM_STRNCMP(token,"q=")){
char str[UDMSTRSIZ]="";
+ /* Really temporary security fix */
+ if(strlen(token) > 512)
+ {
+ printf("<html><body>Query string too long</body></html>\n");
+ exit(1);
+ }
+ /* q1-- */
query_words=strdup(UdmUnescapeCGIQuery(str,token+2));
query_url_escaped=strdup(UdmEscapeURL(str,query_words));
query_form_escaped=UdmHtmlSpecialChars(query_words);
