TUCoPS :: Web :: Apache :: apache26.txt

Apache 1.3.26 Potential Bugs


I recently did a very brief (and non-exhaustive) security audit of
Apache 1.3.26, and noticed some small potential bugs in some of the
helper programs that come with the distribution.

Apache maintainers have been notified, and the most serious of these
bugs have been fixed in 1.3.27.  I'm sending this primarily to document
for the record what vulnerabilities existed and were fixed.  This audit
can be found on Sardonix at https://sardonix.org/audit/apache-45.html

Also, I noticed a few suspicious code fragments, which weren't fixed
in 1.3.27.  For the most part, their security consequences looked
less dire, or minimal.  I'll describe these as well for completeness.
Can anyone else take a look at these and see if I overlooked anything?


1. Buffer overrun in support/ab.c:read_connection()
  char buffer[8192];
  char servername[1024];
  static void read_connection(struct connection * c) {
      ...
      r = ab_read(c->fd, buffer, sizeof(buffer));
      ...
                char *p, *q;
                p = strstr(c->cbuff, "Server:");
                q = servername;
                if (p) {
                    p += 8;
                    while (*p > 32)
                        *q++ = *p++;
                }
                *q = 0;
Impact: Anyone using ab to connect to a malicious server may be vulnerable
Fixed in 1.3.27: http://www.apacheweek.com/features/security-13

2. Race condition in support/htpasswd.c:main()
      tempfilename = tmpnam(tname_buf);
      ftemp = fopen(tempfilename, "w+");
      ...
      copy_file(ftemp, fpw);
Impact: any local user can read, modify contents of Apache password file,
if she exploits this bug when an administrator runs htpasswd
Not fixed in 1.3.27

3. Race condition in support/htdigest.c:main()
      tn = tmpnam(NULL);
      if (!(tfp = fopen(tn, "w"))) ...
      ...
      sprintf(command, "cp %s %s", tn, argv[1]);
      system(command);
Impact: any local user can read, modify contents of Apache password file,
if she exploits this bug when an administrator runs htdigest
Not fixed in 1.3.27

4. Also, totally bogus call to system() in support/htdigest.c:main()
  (see above)
Impact: probably none, but htdigest shouldn't be called from CGI scripts, etc.
Not fixed in 1.3.27

5. Buffer overruns in support/htdigest.c:main()
There are many, but here's one:
  #define MAX_STRING_LEN 256
  int main(int argc, char *argv[]) {
      char user[MAX_STRING_LEN];
      strcpy(user, argv[3]);
Impact: probably none, but htdigest shouldn't be called from CGI scripts, etc.
Not fixed in 1.3.27

6. strncat() used incorrectly in support/ab.c:main()
  char cookie[1024];
  int main(int argc, char **argv) {
    while ((c = getopt(argc, argv, "..."))) {
    switch (c) {
    case 'C':
      strncat(cookie, "Cookie: ", sizeof(cookie));
      strncat(cookie, optarg, sizeof(cookie));
      strncat(cookie, "\r\n", sizeof(cookie));
      break;
Also, -A, -P, and -H are broken as well.
Impact: probably none, but ab shouldn't be called from CGI scripts, etc.
Fixed in 1.3.27: http://www.apacheweek.com/features/security-13


Acknowledgements: This audit was aided by RATS.  Thanks to the RATS authors!

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH