Summary: | Apache htpasswd Local Overflow (net-www/apache 1.3.31) -revised- | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Marc Vila <marc.vila> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.osvdb.org/10068 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Marc Vila
2004-10-05 07:11:33 UTC
Lot of confusion over this thing. It's a buffer overflow in htpasswd.c failing to sanitize user input. So local user can walk over his feet and execute arbitrary code with his local rights. Yoohoo. It's not SUID, so the only option I see would be if it was called remotely by a password-updating script or whatever, and that script/PHP/whatever would fail to check input ? OSVDB[1] got it wrong, it's not a remote vulnerability (description is incorrect, title is correct) ISS[2] got it wrong too. "A local attacker can use this vulnerability to overflow a buffer and execute arbitrary code on the system." Right. Do they know what a local user is ? Yes, it should be fixed. And no, I don't think it's a vulnerability. Please, prove me wrong. [1] http://www.osvdb.org/10068 [2] http://xforce.iss.net/xforce/xfdb/17413 Following my report, ISS corrected their advisory and downgraded the severity : "A local attacker, within the same permissions assigned to the attacker, could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system." It's not really better, but at least it's correct. In the original advisory : "Vendor Notified: Two months ago, but we got no answer." No kidding. Closing this one as bogus. Feel free to reopen if you disagree. |