-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
QITEST1 SECURITY ADVISORY #004
Multiple vulnerabilities in atphttpd-0.4b
PROGRAM DESCRIPTION
atphttpd is a caching, tiny - and buggy - webserver written by Yann
Ramin <atrus@atrustrivalie.eu.org>.
DETAILS
There are several remotely exploitable flaws in the source code:
regular buffer overflows and an off-by-one buffer overflow.
An attacker would gain privileges of the user running atphttpd.
SOLUTION
Author was contacted, but he was not reachable. The following patch
should fix these bugs.
==8< atphttpd-0.4b.patch 8<==
diff -u atphttpd-0.4b-old/atphttpd/http_handler.c atphttpd-0.4b/atphttpd/http_handler.c
- --- atphttpd-0.4b-old/atphttpd/http_handler.c Sat Apr 22 05:05:57 2000
+++ atphttpd-0.4b/atphttpd/http_handler.c Fri Jul 12 13:20:16 2002
@@ -235,7 +235,7 @@
(void) sprintf(buffer, "<HTML><HEAD><TITLE>%d %s</TITLE></HEAD>\n<BODY><H2>%d %s</H2>\n", status, title, status, title );
sock_puts(hc[listnum].socket, buffer);
- - (void) sprintf(buffer, "The following error occurred while trying to examine the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text );
+ snprintf(buffer, sizeof(buffer), "The following error occurred while trying to examine the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text);
sock_puts(hc[listnum].socket, buffer);
(void) sprintf(buffer, "<HR>\n<ADDRESS>This cool page was automaticly generated by the trained rodents living inside the <A HREF=\"%s\">%s</A> webserver.</ADDRESS>\n</BODY></HTML>\n", SERVER_URL, SERVER_NAME );
diff -u atphttpd-0.4b-old/atphttpd/main.c atphttpd-0.4b/atphttpd/main.c
- --- atphttpd-0.4b-old/atphttpd/main.c Sat Apr 22 05:06:00 2000
+++ atphttpd-0.4b/atphttpd/main.c Fri Jul 12 13:30:55 2002
@@ -141,13 +141,11 @@
}
}
- - void deal_with_data(int listnum) {
- - char buffer[MAX_BUFFER]; /* Buffer for socket reads */
- -// char *cur_char; /* Used in processing buffer */
- - char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
- -
- - if (sock_gets(hc[listnum].socket,buffer,MAX_BUFFER) < 0) {
+void deal_with_data(int listnum) {
+ char buffer[MAX_BUFFER];
+ char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
+ if (sock_gets(hc[listnum].socket, buffer, MAX_BUFFER - 1) < 0) {
close(hc[listnum].socket);
hc[listnum].socket = 0;
} else {
@@ -155,7 +153,7 @@
* *
* Right now it is very dumb, and only checks for a get header *
* Improvements? */
- - sscanf( buffer, "%[^ ] %[^ ] %[^ ]", method, path, protocol );
+ sscanf(buffer, "%1023s %1023s %1023s", method, path, protocol);
if ( strcasecmp( method, "get" ) == 0 || strcasecmp( method, "head" ) == 0) {
strcpy(hc[listnum].path, path);
==8< atphttpd-0.4b.patch 8<==
-- -------------------------------------------
---- q1-- ----------------------------------------
-- -------------------------------------------
Web: http://bespin.org/~qitest1
GPG public key: http://bespin.org/~qitest1/qitest1.gpg.key
- --------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9LtQ/IrsshIyVmPkRAvrcAJ4pmxndYZKUhhz8kgTyY3gJ1gvoWQCgk3mh
pnhu3Y3K7gzgiroXxvvjKF4=
=cnA0
-----END PGP SIGNATURE-----
