- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
- – ------------------------- – -
±-------------------- – -
±------------------- – -
±--------------------- – -
vulnerability details
±------------------ – -
problem: local denial-of-service
affected: awhttpd 2.2 and perhaps earlier versions
explaination: any local user with write access to awhttpd's html
directory can crash the daemon by crafting a special
script which is parsed by awhttpd's scripting engine
(which is enabled by default). the offending code
exists on line 29 of misc.c:
if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
a sample awhttpd script looks like this:
# test.cgi
--AWHTTPD SCRIPT--
echo "this is a test"
F:test.html
the problem is if test.html doesn't exist in the html
directory, then awhttpd will crash on the fclose();
status: vendor was notified
exploit: see above
fix: apply the patches below or disable the scripting engine by
editing config.h in the root source directory of awhttpd.
=====[ begin cut here ]=====
— misc.c.orig Wed Jan 2 16:22:24 2002
+++ misc.c Wed Jan 2 16:26:37 2002
@@ -26,7 +26,7 @@
void discon(int i) {
close(infd[i]);
=====[ begin cut here ]=====
— procscrpt.c.orig Wed Jan 2 16:27:33 2002
+++ procscrpt.c Wed Jan 2 16:51:47 2002
@@ -38,6 +38,12 @@
sending[i]=1;
strcpy(getreqs[i],tpbuf+2);
stripcrlf(getreqs[i]);
strcpy(tpbuf, "Error: cannot locate ");
strncat(tpbuf, getreqs[i], 256);
strcat(tpbuf, " for reading!\n");
logthis(3, tpbuf);
±------- – -
±---------- – -
disclaimer
±------- – -
The contents of this advisory are Copyright (c) 2002 AngryPacket
Security, and may be distributed freely provided that no fee is charged
for distribution and that proper credit is given. As such, AngryPacket
Security group, collectively or individually, shall not be held liable
or responsible for the misuse of any information contained herein.
- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
- – ------------------------- – -