Bug in mnogosearch-3.1.19

From: qitest1 (qitest1at_private)
Date: Sat May 11 2002 - 10:08:15 PDT

Next message: Jeff Franklin: "Re: wu-imap buffer overflow condition"

Previous message: Blue Boar: "Re: GOBBLES SECURITY ADVISORY #33"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	qitest1 security advisory #003

Bug in mnogosearch-3.1.19 and prior
-----------------------------------------------

PROGRAM DESCRIPTION
mnoGoSearch is a full-featured SQL based web search engine, 
available from http://www.mnogosearch.org.

PROBLEM DESCRIPTION
When receiving a too long query string (q var), search.cgi
segfaults (http://127.0.0.1/cgi-bin/search.cgi?q=query). The bug
resides in a bad management of heap-allocated memory. The bug could
be abused by remote attackers to execute code with web server  
privileges.

SOLUTION
Authors were contacted a month ago: they told me that the cvs 
version had been fixed. Nevertheless the stable version
recommended on their web site is still bugged. At the moment you
should disable search.cgi, use the stupid patch attached to this
advisory (for 3.1.19) or alternatively install last cvs version.

--
---- q1-- http://qitest1.0xfee1dead.net/
--

TEXT/PLAIN attachment: mnogosearch-3.1.19.patch

Next message: Jeff Franklin: "Re: wu-imap buffer overflow condition"
Previous message: Blue Boar: "Re: GOBBLES SECURITY ADVISORY #33"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 11 2002 - 12:07:03 PDT