> Hello (sorry if this gets long or if it's known but I don't think it is):
>
> Well this is an obvious overflow in one of apache's modules; it is
> remote too.....however, luckily for the web admin's it's not installed
> by default. The problem is in mod_auth_anon.c in the function
> anon_authenticate_basic_user(). It contains the following lines:
>
> char errstr[MAX_STRING_LEN];
> [...]
> if (sec->auth_anon_logemail) {
> sprintf(errstr,"Anonymous: Passwd <%s> Accepted",
> send_pw ? send_pw : "\'none\'");
> [...]
> } else {
> if (sec->auth_anon_authorative) {
> sprintf(errstr,"Anonymous: Authorative, Passwd <%s> not accepted",
> send_pw ? send_pw : "\'none\'");
> [...]
>
Yes, that is correct. It is bad code. You will note, however that input
lines are limited to MAX_STRING_LEN as well (couldn't be HUGE_STRING_LEN,
but they are the same) so you would have trouble inputting a password long
enough to cause problems. There is a _LOT_ of code in Apache 1.1 that
works on this tacit assumption. That is a bad thing, but most of it is
not exploitable.
In Apache 1.2, a full review of the source was done, and hundreds of
possible buffer overflows were fixed; very few could cause any real
damange. We added our own ap_snprintf() (borrowed from other code) and
changed nearly every sprintf to ap_snprintf in addition to fixing other
possible overflows.
--
Marc Slemko | Apache team member
marcs@znep.com | marc@apache.org