> Here is a patch to fix the vulnerability (tested against webalizer-2.01-06). Bad fix.. while it will prevent the buffer from overflowing (which I still fail to see how can be used to execute a 'root' exploit, even with a LOT of imagination), but will cause the buffer to be filled with a non-null terminated string which will do all sorts of nasty things to your output, not to mention wreak havoc on the stats since you are cutting off the domain portion, not the hostname part, and adding random garbage at the end. Anyway, Version 2.01-10 has been released, which fixes this and a few other buglets that have been discovered in the last month or so. Get it at the usual place (web: www.mrunix.net/webalizer/ or www.webalizer.org or ftp: ftp.mrunix.net/pub/webalizer/), and should be on the mirror sites soon. -- Bradford L. Barrett bradat_private A free electron in a sea of neutrons DoD#1750 KD4NAW The only thing Micro$oft has done for society, is make people believe that computers are inherently unreliable.
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 18:47:43 PDT