A remote overflow exists in Apache. The htpasswd binary fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing user and passwd variables, a remote attacker can cause arbitrary code execution resulting in a loss of integrity. Currently, there are no known upgrades, patches, or workarounds available to correct this issue. Reproducible: Always Steps to Reproduce: 1. 2. 3. External References: Nessus Script ID: 14771 ISS X-Force ID: 17413 Vendor URL: http://www.apache.org Security Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html http://www.osvdb.org/10068
Lot of confusion over this thing. It's a buffer overflow in htpasswd.c failing to sanitize user input. So local user can walk over his feet and execute arbitrary code with his local rights. Yoohoo. It's not SUID, so the only option I see would be if it was called remotely by a password-updating script or whatever, and that script/PHP/whatever would fail to check input ? OSVDB[1] got it wrong, it's not a remote vulnerability (description is incorrect, title is correct) ISS[2] got it wrong too. "A local attacker can use this vulnerability to overflow a buffer and execute arbitrary code on the system." Right. Do they know what a local user is ? Yes, it should be fixed. And no, I don't think it's a vulnerability. Please, prove me wrong. [1] http://www.osvdb.org/10068 [2] http://xforce.iss.net/xforce/xfdb/17413
Following my report, ISS corrected their advisory and downgraded the severity : "A local attacker, within the same permissions assigned to the attacker, could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system." It's not really better, but at least it's correct. In the original advisory : "Vendor Notified: Two months ago, but we got no answer." No kidding. Closing this one as bogus. Feel free to reopen if you disagree.