Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)

Dear Slotto Corleone,

--Friday, April 30, 2004, 3:43:15 AM, you wrote to full-disclosure@lists.netsys.com:

SC> - sphiro/libhttp/http_socks.c
SC> int get_request(int type,struct sockaddr_in client,int sc,SSL *s)
SC> ...
SC> char buffer[MAX_READ +1];
SC> char auth_buff[MAX_READ+1];
SC> char filename[128];
SC> ...
SC> ...

<skipped>

SC> sprintf(filename,"%s%s",config->webroot,request); <-- oops

According to information you provided this is stack overflow, not heap.
And in this very case it looks not to be exploitable, because behind
filename boundaries sprintf() overwrites beginning of auth_buf. Of cause
I may be wrong, full annalists of source code required to make
conclusion.

-- 
~/ZARAZA
Åñëè äàæå âû ïîëó÷èòå êàêîå-íèáóäü ïèñüìî, âû âñå ðàâíî íå ñóìååòå åãî ïðî÷èòàòü. (Òâåí)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html