[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-dev
Subject: Possible security flaw! (Format BUG)
From: Ranier Vilela <ranier () cultura ! com ! br>
Date: 2003-08-31 9:24:04
[Download RAW message or body]
Hello All,
I tested the source code of httpd-2.0.47, with tool pscan (format bug
scanner) and possible
security flaws is found!
Please, anybody can check if this is real problem of security?
Thanks.
Ranier Vilela
RC Software Ltda.
------------------------------------------------------------------------------------------------------------------------------------------------
[root@desenvolvimento pscan]# ./pscan -vv -w -p wu-ftpd.pscan
/usr/src/httpd-2.0.47/server/*.c
Scanning /usr/src/httpd-2.0.47/server/buildmark.c ...
Scanning /usr/src/httpd-2.0.47/server/config.c ...
/usr/src/httpd-2.0.47/server/config.c:434 FUNC printf format string with
1 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1485 FUNC fprintf format string
with 2 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1491 FUNC fprintf format string
with 2 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1497 FUNC fprintf format string
with 2 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1511 FUNC fprintf format string
with 3 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1894 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1898 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1901 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1904 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1911 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1914 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1917 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1920 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1924 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1926 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1931 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1933 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1938 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1940 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1945 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1947 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1952 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1954 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1959 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1973 FUNC printf format string
with 2 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1976 FUNC printf format string
with 1 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1988 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1990 FUNC printf format string
with 1 parameters: OK
Scanning /usr/src/httpd-2.0.47/server/connection.c ...
Scanning /usr/src/httpd-2.0.47/server/core.c ...
Scanning /usr/src/httpd-2.0.47/server/error_bucket.c ...
Scanning /usr/src/httpd-2.0.47/server/exports.c ...
Scanning /usr/src/httpd-2.0.47/server/gen_test_char.c ...
/usr/src/httpd-2.0.47/server/gen_test_char.c:83 FUNC printf format
string with 5 parameters: OK
/usr/src/httpd-2.0.47/server/gen_test_char.c:105 FUNC printf Last
argument is variable or reference: BAD
/usr/src/httpd-2.0.47/server/gen_test_char.c:150 FUNC printf format
string with 2 parameters: OK
/usr/src/httpd-2.0.47/server/gen_test_char.c:153 FUNC printf Last
argument is variable or reference: BAD
Scanning /usr/src/httpd-2.0.47/server/listen.c ...
Scanning /usr/src/httpd-2.0.47/server/log.c ...
/usr/src/httpd-2.0.47/server/log.c:559 FUNC syslog format string with 1
parameters: OK
Scanning /usr/src/httpd-2.0.47/server/main.c ...
/usr/src/httpd-2.0.47/server/main.c:91 FUNC printf format string with 1
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:92 FUNC printf format string with 1
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:93 FUNC printf format string with 2
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:101 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:103 FUNC printf format string with 1
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:107 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:111 FUNC printf format string with 1
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:115 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:119 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:123 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:127 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:131 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:135 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:139 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:141 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:143 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:148 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:152 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:156 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:160 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:164 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:168 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:172 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:176 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:180 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:184 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:188 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:190 FUNC printf format string with 1
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:195 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:199 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:203 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:207 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:212 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:216 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:220 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:224 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:228 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:232 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:236 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:240 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:244 FUNC printf Last argument is
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:522 FUNC printf format string with 1
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:523 FUNC printf format string with 1
parameters: OK
Scanning /usr/src/httpd-2.0.47/server/mpm_common.c ...
/usr/src/httpd-2.0.47/server/mpm_common.c:794 FUNC printf format string
with 1 parameters: OK
/usr/src/httpd-2.0.47/server/mpm_common.c:801 FUNC printf format string
with 1 parameters: OK
/usr/src/httpd-2.0.47/server/mpm_common.c:811 FUNC printf Last argument
is variable or reference: BAD
/usr/src/httpd-2.0.47/server/mpm_common.c:821 FUNC printf Last argument
is variable or reference: BAD
Scanning /usr/src/httpd-2.0.47/server/protocol.c ...
/usr/src/httpd-2.0.47/server/protocol.c:689 FUNC sscanf format string
with 3 parameters: OK
Scanning /usr/src/httpd-2.0.47/server/provider.c ...
Scanning /usr/src/httpd-2.0.47/server/request.c ...
Scanning /usr/src/httpd-2.0.47/server/rfc1413.c ...
/usr/src/httpd-2.0.47/server/rfc1413.c:253 FUNC sscanf format string
with 3 parameters: OK
Scanning /usr/src/httpd-2.0.47/server/scoreboard.c ...
Scanning /usr/src/httpd-2.0.47/server/util.c ...
Scanning /usr/src/httpd-2.0.47/server/util_cfgtree.c ...
Scanning /usr/src/httpd-2.0.47/server/util_charset.c ...
Scanning /usr/src/httpd-2.0.47/server/util_debug.c ...
Scanning /usr/src/httpd-2.0.47/server/util_ebcdic.c ...
Scanning /usr/src/httpd-2.0.47/server/util_filter.c ...
Scanning /usr/src/httpd-2.0.47/server/util_md5.c ...
Scanning /usr/src/httpd-2.0.47/server/util_script.c ...
Scanning /usr/src/httpd-2.0.47/server/util_time.c ...
Scanning /usr/src/httpd-2.0.47/server/util_xml.c ...
Scanning /usr/src/httpd-2.0.47/server/vhost.c ...
Warnings: 0
Total problems identified: 59
[root@desenvolvimento pscan]#
["config.c.diff" (text/plain)]
--- config_old.c 2003-08-31 06:06:49.000000000 -0300
+++ config.c 2003-08-31 06:09:16.000000000 -0300
@@ -1891,72 +1891,72 @@
{
int n = 0;
- printf("\tAllowed in *.conf ");
+ printf("%s\t", "Allowed in *.conf ");
if ((pc->req_override & (OR_OPTIONS | OR_FILEINFO | OR_INDEXES))
|| ((pc->req_override & RSRC_CONF)
&& ((pc->req_override & (ACCESS_CONF | OR_AUTHCFG | OR_LIMIT))))) {
- printf("anywhere");
+ printf("%s", "anywhere");
}
else if (pc->req_override & RSRC_CONF) {
- printf("only outside <Directory>, <Files> or <Location>");
+ printf("%s", "only outside <Directory>, <Files> or <Location>");
}
else {
- printf("only inside <Directory>, <Files> or <Location>");
+ printf("%s", "only inside <Directory>, <Files> or <Location>");
}
/* Warn if the directive is allowed inside <Directory> or .htaccess
* but module doesn't support per-dir configuration
*/
if ((pc->req_override & (OR_ALL | ACCESS_CONF)) && !pm->create_dir_config)
- printf(" [no per-dir config]");
+ printf("%s", " [no per-dir config]");
if (pc->req_override & OR_ALL) {
- printf(" and in .htaccess\n\twhen AllowOverride");
+ printf("%s", " and in .htaccess\n\twhen AllowOverride");
if ((pc->req_override & OR_ALL) == OR_ALL) {
- printf(" isn't None");
+ printf("%s", " isn't None");
}
else {
- printf(" includes ");
+ printf("%s", " includes ");
if (pc->req_override & OR_AUTHCFG) {
if (n++)
- printf(" or ");
+ printf("%s", " or ");
- printf("AuthConfig");
+ printf("%s", "AuthConfig");
}
if (pc->req_override & OR_LIMIT) {
if (n++)
- printf(" or ");
+ printf("%s", " or ");
- printf("Limit");
+ printf("%s", "Limit");
}
if (pc->req_override & OR_OPTIONS) {
if (n++)
- printf(" or ");
+ printf("%s", " or ");
- printf("Options");
+ printf("%s", "Options");
}
if (pc->req_override & OR_FILEINFO) {
if (n++)
- printf(" or ");
+ printf("%s", " or ");
- printf("FileInfo");
+ printf("%s", "FileInfo");
}
if (pc->req_override & OR_INDEXES) {
if (n++)
- printf(" or ");
+ printf("%s", " or ");
- printf("Indexes");
+ printf("%s", "Indexes");
}
}
}
- printf("\n");
+ printf("%s", "\n");
}
/* Show the preloaded configuration directives, the help string explaining
@@ -1985,7 +1985,7 @@
{
int n;
- printf("Compiled in modules:\n");
+ printf("%s\n", "Compiled in modules:");
for (n = 0; ap_loaded_modules[n]; ++n)
printf(" %s\n", ap_loaded_modules[n]->name);
}
["gen_test_char.c.diff" (text/plain)]
--- gen_test_char.c 2003-08-31 06:10:35.000000000 -0300
+++ gen_teste_char_old.c 2003-08-31 06:09:46.000000000 -0300
@@ -102,7 +102,7 @@
for (c = 1; c < 256; ++c) {
flags = 0;
if (c % 20 == 0)
- printf("%s", "\n ");
+ printf("\n ");
/* escape_shell_cmd */
#if defined(WIN32) || defined(OS2)
@@ -150,7 +150,7 @@
printf("%u%c", flags, (c < 255) ? ',' : ' ');
}
- printf("%s", "\n};\n");
+ printf("\n};\n");
return 0;
}
["main.c.diff" (text/plain)]
--- main_old.c 2003-08-31 05:56:46.000000000 -0300
+++ main.c 2003-08-31 06:11:54.000000000 -0300
@@ -98,13 +98,13 @@
* consistent
*/
printf("Architecture: %ld-bit\n", 8 * (long)sizeof(void *));
- printf("Server compiled with....\n");
+ printf("%s\n", "Server compiled with....");
#ifdef BIG_SECURITY_HOLE
- printf(" -D BIG_SECURITY_HOLE\n");
+ printf("%s\n", " -D BIG_SECURITY_HOLE");
#endif
#ifdef SECURITY_HOLE_PASS_AUTHORIZATION
- printf(" -D SECURITY_HOLE_PASS_AUTHORIZATION\n");
+ printf("%s\n", " -D SECURITY_HOLE_PASS_AUTHORIZATION");
#endif
#ifdef APACHE_MPM_DIR
@@ -112,136 +112,136 @@
#endif
#ifdef HAVE_SHMGET
- printf(" -D HAVE_SHMGET\n");
+ printf("%s\n", " -D HAVE_SHMGET");
#endif
#if APR_FILE_BASED_SHM
- printf(" -D APR_FILE_BASED_SHM\n");
+ printf("%s\n", " -D APR_FILE_BASED_SHM");
#endif
#if APR_HAS_SENDFILE
- printf(" -D APR_HAS_SENDFILE\n");
+ printf("%s\n", " -D APR_HAS_SENDFILE");
#endif
#if APR_HAS_MMAP
- printf(" -D APR_HAS_MMAP\n");
+ printf("%s\n", " -D APR_HAS_MMAP");
#endif
#ifdef NO_WRITEV
- printf(" -D NO_WRITEV\n");
+ printf("%s\n", " -D NO_WRITEV");
#endif
#ifdef NO_LINGCLOSE
- printf(" -D NO_LINGCLOSE\n");
+ printf("%s\n", " -D NO_LINGCLOSE");
#endif
#if APR_HAVE_IPV6
- printf(" -D APR_HAVE_IPV6 (IPv4-mapped addresses ");
+ printf("%s", " -D APR_HAVE_IPV6 (IPv4-mapped addresses ");
#ifdef AP_ENABLE_V4_MAPPED
- printf("enabled)\n");
+ printf("%s\n", "enabled)");
#else
- printf("disabled)\n");
+ printf("%s\n", "disabled)");
#endif
#endif
#if APR_USE_FLOCK_SERIALIZE
- printf(" -D APR_USE_FLOCK_SERIALIZE\n");
+ printf("%s\n", " -D APR_USE_FLOCK_SERIALIZE");
#endif
#if APR_USE_SYSVSEM_SERIALIZE
- printf(" -D APR_USE_SYSVSEM_SERIALIZE\n");
+ printf("%s\n", " -D APR_USE_SYSVSEM_SERIALIZE");
#endif
#if APR_USE_POSIXSEM_SERIALIZE
- printf(" -D APR_USE_POSIXSEM_SERIALIZE\n");
+ printf("%s\n", " -D APR_USE_POSIXSEM_SERIALIZE");
#endif
#if APR_USE_FCNTL_SERIALIZE
- printf(" -D APR_USE_FCNTL_SERIALIZE\n");
+ printf("%s\n", " -D APR_USE_FCNTL_SERIALIZE");
#endif
#if APR_USE_PROC_PTHREAD_SERIALIZE
- printf(" -D APR_USE_PROC_PTHREAD_SERIALIZE\n");
+ printf("%s\n", " -D APR_USE_PROC_PTHREAD_SERIALIZE");
#endif
#if APR_USE_PTHREAD_SERIALIZE
- printf(" -D APR_USE_PTHREAD_SERIALIZE\n");
+ printf("%s\n", " -D APR_USE_PTHREAD_SERIALIZE");
#endif
#if APR_PROCESS_LOCK_IS_GLOBAL
- printf(" -D APR_PROCESS_LOCK_IS_GLOBAL\n");
+ printf("%s\n", " -D APR_PROCESS_LOCK_IS_GLOBAL");
#endif
#ifdef SINGLE_LISTEN_UNSERIALIZED_ACCEPT
- printf(" -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT\n");
+ printf("%s\n", " -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT");
#endif
#if APR_HAS_OTHER_CHILD
- printf(" -D APR_HAS_OTHER_CHILD\n");
+ printf("%s\n", " -D APR_HAS_OTHER_CHILD");
#endif
#ifdef AP_HAVE_RELIABLE_PIPED_LOGS
- printf(" -D AP_HAVE_RELIABLE_PIPED_LOGS\n");
+ printf("%s\n", " -D AP_HAVE_RELIABLE_PIPED_LOGS");
#endif
#ifdef BUFFERED_LOGS
- printf(" -D BUFFERED_LOGS\n");
+ printf("%s\n", " -D BUFFERED_LOGS");
#ifdef PIPE_BUF
printf(" -D PIPE_BUF=%ld\n",(long)PIPE_BUF);
#endif
#endif
#if APR_CHARSET_EBCDIC
- printf(" -D APR_CHARSET_EBCDIC\n");
+ printf("%s\n", " -D APR_CHARSET_EBCDIC");
#endif
#ifdef APACHE_XLATE
- printf(" -D APACHE_XLATE\n");
+ printf("%s\n", " -D APACHE_XLATE");
#endif
#ifdef NEED_HASHBANG_EMUL
- printf(" -D NEED_HASHBANG_EMUL\n");
+ printf("%s\n", " -D NEED_HASHBANG_EMUL");
#endif
#ifdef SHARED_CORE
- printf(" -D SHARED_CORE\n");
+ printf("%s\n", " -D SHARED_CORE");
#endif
/* This list displays the compiled in default paths: */
#ifdef HTTPD_ROOT
- printf(" -D HTTPD_ROOT=\"" HTTPD_ROOT "\"\n");
+ printf("%s\n", " -D HTTPD_ROOT=\"" HTTPD_ROOT "\"");
#endif
#ifdef SUEXEC_BIN
- printf(" -D SUEXEC_BIN=\"" SUEXEC_BIN "\"\n");
+ printf("%s\n", " -D SUEXEC_BIN=\"" SUEXEC_BIN "\"");
#endif
#if defined(SHARED_CORE) && defined(SHARED_CORE_DIR)
- printf(" -D SHARED_CORE_DIR=\"" SHARED_CORE_DIR "\"\n");
+ printf("%s\n", " -D SHARED_CORE_DIR=\"" SHARED_CORE_DIR "\"");
#endif
#ifdef DEFAULT_PIDLOG
- printf(" -D DEFAULT_PIDLOG=\"" DEFAULT_PIDLOG "\"\n");
+ printf("%s\n", " -D DEFAULT_PIDLOG=\"" DEFAULT_PIDLOG "\"");
#endif
#ifdef DEFAULT_SCOREBOARD
- printf(" -D DEFAULT_SCOREBOARD=\"" DEFAULT_SCOREBOARD "\"\n");
+ printf("%s\n", " -D DEFAULT_SCOREBOARD=\"" DEFAULT_SCOREBOARD "\"");
#endif
#ifdef DEFAULT_LOCKFILE
- printf(" -D DEFAULT_LOCKFILE=\"" DEFAULT_LOCKFILE "\"\n");
+ printf("%s\n", " -D DEFAULT_LOCKFILE=\"" DEFAULT_LOCKFILE "\"");
#endif
#ifdef DEFAULT_ERRORLOG
- printf(" -D DEFAULT_ERRORLOG=\"" DEFAULT_ERRORLOG "\"\n");
+ printf("%s\n", " -D DEFAULT_ERRORLOG=\"" DEFAULT_ERRORLOG "\"");
#endif
#ifdef AP_TYPES_CONFIG_FILE
- printf(" -D AP_TYPES_CONFIG_FILE=\"" AP_TYPES_CONFIG_FILE "\"\n");
+ printf("%s\n", " -D AP_TYPES_CONFIG_FILE=\"" AP_TYPES_CONFIG_FILE "\"");
#endif
#ifdef SERVER_CONFIG_FILE
- printf(" -D SERVER_CONFIG_FILE=\"" SERVER_CONFIG_FILE "\"\n");
+ printf("%s\n", " -D SERVER_CONFIG_FILE=\"" SERVER_CONFIG_FILE "\"");
#endif
}
["mpm_common.c.diff" (text/plain)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic