NCSA security?

NCSA security?

Post by Mark Shapi » Tue, 29 Aug 1995 04:00:00



A few months ago, I saw mention of a security issue related to the then current
version of NCSA HTTPD.  As this was a few months ago, I assume it has been
fixed.  I need to know for sure, though.  I am currently administering a WWW
server using CERN's httpd, but I need to use some SSI features that CERN's does
not support.  Please respond via email, ASAP, with any information <including
the original security issue, if you know what it was>

thanks.

--
Mark Shapiro (SED)

 
 
 

NCSA security?

Post by A. P. Harr » Fri, 01 Sep 1995 04:00:00



Quote:>A few months ago, I saw mention of a security issue related to the then current
>version of NCSA HTTPD.  As this was a few months ago, I assume it has been
>fixed.  I need to know for sure, though.  I am currently administering a WWW
>server using CERN's httpd, but I need to use some SSI features that CERN's does
>not support.  Please respond via email, ASAP, with any information <including
>the original security issue, if you know what it was>

This was a problem in NCSA's 1.3 series.  1.4 fixed it.

NCSA's explanation is on
<URL:http://hoohoo.ncsa.uiuc.edu/docs/patch_desc.html>
There's a CERT advisory somewhere as well.

Basically by feeding the server a very-long GET string,
you could overrun the data space and run over into code
space, at which point you could add whatever assembly
routines you cared to.

That's an old standby.  Unfortunately, people don't seem
to test their code with arbitrary input.

--


 
 
 

1. NCSA Security

Can anyone tell me why when using the htpassword scheme with NCSA, I can
bypass the login & password prompt after the first login.  However, when
I close Netscape and reload the protected page, I am prompted again.  
Is there a way to force a user to be prompted whenever they load a
protected page or directory?

2. Advisories and updates

3. NCSA Security Holes?

4. Remote printing: no daemon present

5. ncsa security, caching, passwd ?????

6. Need QIC-150 driver

7. Security note about NCSA httpd-1.4.2

8. new ext2 filesystem problem

9. NCSA Web Security Certification?

10. Still security holes in NCSA httpd 1.3R

11. NCSA WWW Server Security Questions

12. NCSA httpd on Linux - Security Problem??

13. NCSA httpd: inetd and security