Namazu-devel-en(old)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Details on the updated namazu packages that are available
- From: knok@xxxxxxxxxxxxx (NOKUBI Takatsugu)
- Date: Fri, 11 Jan 2002 10:07:52 JST
- X-ml-name: namazu-devel-en
- X-mail-count: 00049
In article <3C3CCEFE.6080501@xxxxxxxxxxx>
dotslash@xxxxxxxxxxx writes:
>> Doh! Looks like I slept on this one too long... heres some of my
>> personal notes on exploiting this issue. Have fun.
Thanks for your report.
>> Here is my research on the above issues:
>> There are several buffer overflows in the QUERY_STRING options
>> Unfortunately the check in namazu.h screws us...
Yes, I had recognized it. So there is a notice about it as the
follwing;
libnamazu.h:
enum {
/* Size of general buffers. This MUST be larger than QUERY_MAX */
BUFSIZE = 1024,
QUERY_TOKEN_MAX = 32, /* Max number of tokens in the query. */
QUERY_MAX = 256, /* Max length of the query. */
INDEX_MAX = 64 /* Max number of databases */
};
.. Oops, it is only QUERY_MAX, not mentioned about
CGI_QUERY_MAX. I'll fix it.
>> In other words unless you have modified namazu then you are not vuln.
>> Now we can exploit this via the command line as a side note ... although
>> its not suid...
>> [root@linuxppc src]# ./namazu querystring `perl -e 'print "A" x 1024'`
>> Results:
>>
>> References: [ (can't open the index) ]
>>
>> No document matching your query.
>> Aborted (core dumped)
CGI program (namazu.cgi) and command-line programm (namazu) is
separated, and command-line program is prohibited to invoke as
CGI. Therefore I think it is not so serious.
At all events, I'll fix it in next release. Thanks.
--
NOKUBI Takatsugu
E-mail: knok@xxxxxxxxxxxxx
knok@xxxxxxxxxx / knok@xxxxxxxxxx