[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: format string bug in namazu.cgi (low severity) (namazu-bugs-en#31)

At Wed, 25 Feb 2004 10:11:40 +0900 (JST),
jonny@xxxxxxxxxxxxxxx wrote:
> cd /var/www/cgi-bin/
> export SCRIPT_NAME=3D./namazu.cgi
> export QUERY_STRING=3D"A=3D%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x"
> ./namazu.cgi && tail -n 4 NMZ.warnlog
> Content-type:  text/html
> =20
> namazu: unknown cgi var: A=3Dxxxxxxxxx=1B$B`=1B$Bt=EF=BF=BD=1B(B(BType   =

> As you can see there appears to be some sort of format bug occuring inter=
> within namazu-cgi, and is causing it do dump parts of the config file bac=
k to
> the user.
> This can be triggered remotely through a web browser - but so far I haven=
't been
> able to identify any real security risks with this bug.

I traced this problem, and I concluded it is not a format string bug.

'%xx' is used as a hexadecimal representation in CGI form. This is a
bug in nmz_decode_url(). It is not considered about non-hexadecimal
characters, so the above situation causes buffer overrun occasionally.

So, if anyone can send such malformed input in CGI form, it is
consider as a serious bug. But I think it is hard because '%xx'
encoding rule is very simple, it should't be passed through any web

However, it is exactly a bug. I'll fix it.

Thank you for your report.
NOKUBI Takatsugu
E-mail: knok@xxxxxxxxxxxxx
	knok@xxxxxxxxxx / knok@xxxxxxxxxx