Multiple vulnerabilities in atphttpd-0.4b

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                QITEST1 SECURITY ADVISORY #004

Multiple vulnerabilities in atphttpd-0.4b

PROGRAM DESCRIPTION
atphttpd is a caching, tiny - and buggy - webserver written by Yann
Ramin <atrus_at_atrustrivalie.eu.org>.

DETAILS
There are several remotely exploitable flaws in the source code:
regular buffer overflows and an off-by-one buffer overflow.
An attacker would gain privileges of the user running atphttpd.

SOLUTION
Author was contacted, but he was not reachable. The following patch
should fix these bugs.

==8< atphttpd-0.4b.patch 8<==
diff -u atphttpd-0.4b-old/atphttpd/http_handler.c atphttpd-0.4b/atphttpd/http_handler.c
- --- atphttpd-0.4b-old/atphttpd/http_handler.c Sat Apr 22 05:05:57 2000
+++ atphttpd-0.4b/atphttpd/http_handler.c Fri Jul 12 13:20:16 2002
@@ -235,7 +235,7 @@
     (void) sprintf(buffer, "<HTML><HEAD><TITLE>%d %s</TITLE></HEAD>\n<BODY><H2>%d %s</H2>\n", status, title, status, title );
     sock_puts(hc[listnum].socket, buffer);
 
- - (void) sprintf(buffer, "The following error occurred while trying to examine the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text );
+ snprintf(buffer, sizeof(buffer), "The following error occurred while trying to examine the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text);
     sock_puts(hc[listnum].socket, buffer);
 
     (void) sprintf(buffer, "<HR>\n<ADDRESS>This cool page was automaticly generated by the trained rodents living inside the <A HREF=\"%s\">%s</A> webserver.</ADDRESS>\n</BODY></HTML>\n", SERVER_URL, SERVER_NAME );
diff -u atphttpd-0.4b-old/atphttpd/main.c atphttpd-0.4b/atphttpd/main.c
- --- atphttpd-0.4b-old/atphttpd/main.c Sat Apr 22 05:06:00 2000
+++ atphttpd-0.4b/atphttpd/main.c Fri Jul 12 13:30:55 2002
@@ -141,13 +141,11 @@
          }
  }
 
- - void deal_with_data(int listnum) {
- - char buffer[MAX_BUFFER]; /* Buffer for socket reads */
- -// char *cur_char; /* Used in processing buffer */
- - char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
- -
- - if (sock_gets(hc[listnum].socket,buffer,MAX_BUFFER) < 0) {
+void deal_with_data(int listnum) {
+ char buffer[MAX_BUFFER];
+ char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
 
+ if (sock_gets(hc[listnum].socket, buffer, MAX_BUFFER - 1) < 0) {
                  close(hc[listnum].socket);
                  hc[listnum].socket = 0;
          } else {
@@ -155,7 +153,7 @@
                                                                 * *
                                                                 * Right now it is very dumb, and only checks for a get header *
                                                                 * Improvements? */
- - sscanf( buffer, "%[^ ] %[^ ] %[^ ]", method, path, protocol );
+ sscanf(buffer, "%1023s %1023s %1023s", method, path, protocol);
                  if ( strcasecmp( method, "get" ) == 0 || strcasecmp( method, "head" ) == 0) {
                                                                                 strcpy(hc[listnum].path, path);
                                                                                 
==8< atphttpd-0.4b.patch 8<==

  -- -------------------------------------------
  ---- q1-- ----------------------------------------
  -- -------------------------------------------
  Web: http://bespin.org/~qitest1
  GPG public key: http://bespin.org/~qitest1/qitest1.gpg.key
  - --------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9LtQ/IrsshIyVmPkRAvrcAJ4pmxndYZKUhhz8kgTyY3gJ1gvoWQCgk3mh
pnhu3Y3K7gzgiroXxvvjKF4=
=cnA0
-----END PGP SIGNATURE-----
Received on Jul 12 2002