Namazu-devel-en(old)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: format string bug in namazu.cgi (low severity) (namazu-bugs-en#31)
- From: knok@xxxxxxxxxxxxx
- Date: Mon, 1 Mar 2004 18:44:36 +0900 (JST)
- X-ml-name: namazu-devel-en
- X-mail-count: 00105
At Wed, 25 Feb 2004 10:11:40 +0900 (JST),
jonny@xxxxxxxxxxxxxxx wrote:
> cd /var/www/cgi-bin/
> export SCRIPT_NAME=3D./namazu.cgi
> export QUERY_STRING=3D"A=3D%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x"
>=20
> ./namazu.cgi && tail -n 4 NMZ.warnlog
> Content-type: text/html
> =20
> namazu: unknown cgi var: A=3Dxxxxxxxxx=1B$B`=1B$Bt=EF=BF=BD=1B(B(BType =
"text/x-hdml"
>=20
> As you can see there appears to be some sort of format bug occuring inter=
nally
> within namazu-cgi, and is causing it do dump parts of the config file bac=
k to
> the user.
> This can be triggered remotely through a web browser - but so far I haven=
't been
> able to identify any real security risks with this bug.
I traced this problem, and I concluded it is not a format string bug.
'%xx' is used as a hexadecimal representation in CGI form. This is a
bug in nmz_decode_url(). It is not considered about non-hexadecimal
characters, so the above situation causes buffer overrun occasionally.
So, if anyone can send such malformed input in CGI form, it is
consider as a serious bug. But I think it is hard because '%xx'
encoding rule is very simple, it should't be passed through any web
servers.
However, it is exactly a bug. I'll fix it.
Thank you for your report.
--=20
NOKUBI Takatsugu
E-mail: knok@xxxxxxxxxxxxx
knok@xxxxxxxxxx / knok@xxxxxxxxxx