I recently did a very brief (and non-exhaustive) security audit of Apache 1.3.26, and noticed some small potential bugs in some of the helper programs that come with the distribution. Apache maintainers have been notified, and the most serious of these bugs have been fixed in 1.3.27. I'm sending this primarily to document for the record what vulnerabilities existed and were fixed. This audit can be found on Sardonix at https://sardonix.org/audit/apache-45.html Also, I noticed a few suspicious code fragments, which weren't fixed in 1.3.27. For the most part, their security consequences looked less dire, or minimal. I'll describe these as well for completeness. Can anyone else take a look at these and see if I overlooked anything? 1. Buffer overrun in support/ab.c:read_connection() char buffer[8192]; char servername[1024]; static void read_connection(struct connection * c) { ... r = ab_read(c->fd, buffer, sizeof(buffer)); ... char *p, *q; p = strstr(c->cbuff, "Server:"); q = servername; if (p) { p += 8; while (*p > 32) *q++ = *p++; } *q = 0; Impact: Anyone using ab to connect to a malicious server may be vulnerable Fixed in 1.3.27: http://www.apacheweek.com/features/security-13 2. Race condition in support/htpasswd.c:main() tempfilename = tmpnam(tname_buf); ftemp = fopen(tempfilename, "w+"); ... copy_file(ftemp, fpw); Impact: any local user can read, modify contents of Apache password file, if she exploits this bug when an administrator runs htpasswd Not fixed in 1.3.27 3. Race condition in support/htdigest.c:main() tn = tmpnam(NULL); if (!(tfp = fopen(tn, "w"))) ... ... sprintf(command, "cp %s %s", tn, argv[1]); system(command); Impact: any local user can read, modify contents of Apache password file, if she exploits this bug when an administrator runs htdigest Not fixed in 1.3.27 4. Also, totally bogus call to system() in support/htdigest.c:main() (see above) Impact: probably none, but htdigest shouldn't be called from CGI scripts, etc. Not fixed in 1.3.27 5. Buffer overruns in support/htdigest.c:main() There are many, but here's one: #define MAX_STRING_LEN 256 int main(int argc, char *argv[]) { char user[MAX_STRING_LEN]; strcpy(user, argv[3]); Impact: probably none, but htdigest shouldn't be called from CGI scripts, etc. Not fixed in 1.3.27 6. strncat() used incorrectly in support/ab.c:main() char cookie[1024]; int main(int argc, char **argv) { while ((c = getopt(argc, argv, "..."))) { switch (c) { case 'C': strncat(cookie, "Cookie: ", sizeof(cookie)); strncat(cookie, optarg, sizeof(cookie)); strncat(cookie, "\r\n", sizeof(cookie)); break; Also, -A, -P, and -H are broken as well. Impact: probably none, but ab shouldn't be called from CGI scripts, etc. Fixed in 1.3.27: http://www.apacheweek.com/features/security-13 Acknowledgements: This audit was aided by RATS. Thanks to the RATS authors!
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 16:20:54 PDT