Bug 31975 - httpd-1.3.33: buffer overflow in htpasswd if called with long arguments
httpd-1.3.33: buffer overflow in htpasswd if called with long arguments
Status: RESOLVED WONTFIX
Product: Apache httpd-1.3
Classification: Unclassified
Component: Other
HEAD
All All
: P3 normal with 3 votes (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2004-10-29 21:22 UTC by Michael Engert
Modified: 2011-03-21 11:01 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Engert 2004-10-29 21:22:13 UTC
Luiz Fernando wrote an article in the Full-Disclosure Mailing List (see:
http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html),
publishing a PoC how to crash htpasswd. This could become a problem, if
htpasswd is run suid root with user supplied arguments at the command line.

Larry Cashdollar <lwc@vapid.ath.cx> replied to this message via BUQTRAQ, giving
a patch, which replaces all calls to strcpy() with calls to strncpy(). Looking
at the code, I found that this wasn't neccessary, because the strcpy()-calls in
the original are protected by if-statements. Well, almost all strcpy()-calls are
protected. At one place the protecting if-statement slipped into another one,
becoming useless in some situations.

So I created this little patch against src/support/htpasswd.c shipped with
apache-1.3.33.tar.gz:

--- cut --- cut --- cut ---
--- src/support/htpasswd.c.orig	Fri Feb 20 23:02:24 2004
+++ src/support/htpasswd.c	Fri Oct 29 21:13:36 2004
@@ -411,11 +411,11 @@
 	    return ERR_OVERFLOW;
 	}
 	strcpy(pwfilename, argv[i]);
-	if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
-	    fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
-		    (unsigned long)(sizeof(user) - 1));
-	    return ERR_OVERFLOW;
-	}
+    }
+    if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
+	fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
+		(unsigned long)(sizeof(user) - 1));
+	return ERR_OVERFLOW;
     }
     strcpy(user, argv[i + 1]);
     if ((arg = strchr(user, ':')) != NULL) {
--- cut --- cut --- cut ---

Larry told us, that there is a nessus plugin which recognizes this buffer
overflow and recommends an update to apache httpd 1.3.32. But I couldn't find a
corresponding entry in the bug database. :-( Comparing the versions 1.3.31,
1.3.32 and 1.3.33, I found no differences between the files. ...
Comment 1 Malte S. Stretz 2011-03-21 11:01:17 UTC
Apache HTTP Server 1.3.x is not supported anymore and no bugs will be fixed in the old codebase (cf. <http://mail-archives.apache.org/mod_mbox/httpd-announce/201002.mbox/%3C20100203000334.GA19021@infiltrator.stdlib.net%3E>). Since this bug seems to affect only 1.3.x, I'm closing it as WONTFIX.

If this bug still affects you in a recent version (version 2.2.x or the upcoming version 2.4), please open a new bug.

Thank you for reporting the bug.