[Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)
3APA3A
3APA3A at SECURITY.NNOV.RU
Fri Apr 30 16:49:54 BST 2004
Dear Slotto Corleone,
--Friday, April 30, 2004, 3:43:15 AM, you wrote to full-disclosure at lists.netsys.com:
SC> - sphiro/libhttp/http_socks.c
SC> int get_request(int type,struct sockaddr_in client,int sc,SSL *s)
SC> ...
SC> char buffer[MAX_READ +1];
SC> char auth_buff[MAX_READ+1];
SC> char filename[128];
SC> ...
SC> ...
<skipped>
SC> sprintf(filename,"%s%s",config->webroot,request); <-- oops
According to information you provided this is stack overflow, not heap.
And in this very case it looks not to be exploitable, because behind
filename boundaries sprintf() overwrites beginning of auth_buf. Of cause
I may be wrong, full annalists of source code required to make
conclusion.
--
~/ZARAZA
Åñëè äàæå âû ïîëó÷èòå êàêîå-íèáóäü ïèñüìî, âû âñå ðàâíî íå ñóìååòå åãî ïðî÷èòàòü. (Òâåí)
Full-Disclosure is hosted and sponsored by Secunia.