Bug 41279 - Apache 1.3.37 htpasswd is vulnerable to buffer overflow vulnerability
Apache 1.3.37 htpasswd is vulnerable to buffer overflow vulnerability
Status: RESOLVED WONTFIX
Product: Apache httpd-1.3
Classification: Unclassified
Component: Other
HEAD
All All
: P3 normal (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2007-01-02 12:13 UTC by Matias S. Soler
Modified: 2011-03-21 11:03 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matias S. Soler 2007-01-02 12:13:32 UTC
Synopsis: Apache 1.3.37 htpasswd buffer overflow vulnerability
Version: 1.3.37 (latest 1.3.xx)

Product
=======
Apache htpasswd utility


Issue
=====
A buffer overflow vilnerability has been found, it is dangerous only on
environment where the binary is suid root.

Details
=======
Incorrect validation on the size of user input allows to copy a string, via
strcpy, to a fixed size buffer.
File: htpasswd.c, Line 421.

Solution
========
Apply this patch to htpasswd.c

-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<--

  415,419c415,420
  <       if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
  <           fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
  <                   (unsigned long)(sizeof(user) - 1));
  <           return ERR_OVERFLOW;
  <       }
  ---
  >     }
  >     if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
  >       fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
  >       (unsigned long)(sizeof(user) - 1));
  >       return ERR_OVERFLOW;
  >
--->8----->8----->8----->8----->8----->8----->8----->8----->8----->8----->8-----

Affected Versions
==================
1.3.37 - http://www.apache.org/dist/httpd/apache_1.3.37.tar.gz

Notes & References
==================
Another similar bug was discovered by Luiz Fernando [1], Larry Cashdollar's
patch also fixed the bug i'm posting, but it seems not to be applied on the
latest versions of apache 1.3.xx.

Michael Engert submitted another patch[1] which also fixed this bug and filled
out a bug report [1], but it wasn't applied.

Have a look at Other posts[3][4] on this (and similar) issues.

1 - http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html
2 - http://issues.apache.org/bugzilla/show_bug.cgi?id=31975
3 - http://seclists.org/bugtraq/2004/Oct/0359.html
4 - http://www.security-express.com/archives/fulldisclosure/2004-10/1117.html


Credits
=======
Matias S. Soler - gnuler [at] gmail [dot] com
Luiz Fernando
Michael Engert
Comment 1 Malte S. Stretz 2011-03-21 11:03:14 UTC
Apache HTTP Server 1.3.x is not supported anymore and no bugs will be fixed in the old codebase (cf. <http://mail-archives.apache.org/mod_mbox/httpd-announce/201002.mbox/%3C20100203000334.GA19021@infiltrator.stdlib.net%3E>). Since this bug seems to affect only 1.3.x, I'm closing it as WONTFIX.

If this bug still affects you in a recent version (version 2.2.x or the upcoming version 2.4), please open a new bug.

Thank you for reporting the bug.