- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
                  - -- ------------------------- -- -

+--------------------- -- -
+ advisory information
+------------------ -- -
author: methodic <methodicslartibartfast.angrypacket.com>
release date: 01/03/2002
homepage: http://sec.angrypacket.com
advisory id: 0x0000

+-------------------- -- -
+ product information
+----------------- -- -
software: Anti-Web httpd (awhttpd)
author: HardCore Software
homepage: http://hardcoresoftware.cjb.net/awhttpd/
description:
     "Anti-Web httpd is a single-process Web server that relies on its
      inherent simplicity to be robust, and secure."

+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem: local denial-of-service
affected: awhttpd 2.2 and perhaps earlier versions
explaination: any local user with write access to awhttpd's html
              directory can crash the daemon by crafting a special
              script which is parsed by awhttpd's scripting engine
              (which is enabled by default). the offending code
              exists on line 29 of misc.c:

              if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);

              a sample awhttpd script looks like this:
              # test.cgi
              --AWHTTPD SCRIPT--
              echo "this is a test"
              F:test.html

              the problem is if test.html doesn't exist in the html
              directory, then awhttpd will crash on the fclose();
status: vendor was notified
exploit: see above
fix: apply the patches below or disable the scripting engine by
              editing config.h in the root source directory of awhttpd.

=====[ begin cut here ]=====
--- misc.c.orig Wed Jan 2 16:22:24 2002
+++ misc.c Wed Jan 2 16:26:37 2002
-26,7 +26,7
 
 void discon(int i) {
   close(infd[i]);
- if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
+ if (filefd[i]!= NULL) fclose(filefd[i]);
   if (sending[i]>0) numofusers--;
   sending[i]=0;
   getreqs[i][0]=0;
=====[ end of misc.c patch ]=====

=====[ begin cut here ]=====
--- procscrpt.c.orig Wed Jan 2 16:27:33 2002
+++ procscrpt.c Wed Jan 2 16:51:47 2002
-38,6 +38,12
   sending[i]=1;
   strcpy(getreqs[i],tpbuf+2);
   stripcrlf(getreqs[i]);
+ if(doesfileexist(getreqs[i]) == 0) {
+ strcpy(tpbuf, "Error: cannot locate ");
+ strncat(tpbuf, getreqs[i], 256);
+ strcat(tpbuf, " for reading!\n");
+ logthis(3, tpbuf);
+ }
   fclose(filefd[i]);
 } else if (tpbuf[0]==0) {
   discon(i);
=====[ end of procscrpt.c patch ]=====

+-------- -- -
+ credits
+----- -- -
Bug was found by methodic of AngryPacket security group.
Patches by methodic.

+----------- -- -
+ disclaimer
+-------- -- -
The contents of this advisory are Copyright (c) 2002 AngryPacket
Security, and may be distributed freely provided that no fee is charged
for distribution and that proper credit is given. As such, AngryPacket
Security group, collectively or individually, shall not be held liable
or responsible for the misuse of any information contained herein.

                  - -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
                  - -- ------------------------- -- -

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]