Received: (qmail 15506 invoked by uid 2012); 10 Dec 1998 19:01:44 -0000 Message-Id: <19981210190144.15505.qmail@hyperreal.org> Date: 10 Dec 1998 19:01:44 -0000 From: Matthew Soffen Reply-To: msoffen@iso-ne.com To: apbugs@hyperreal.org Subject: Directory listings messed up (showing random data from memory). X-Send-Pr-Version: 3.2 >Number: 3522 >Category: mod_autoindex >Synopsis: Directory listings messed up (showing random data from memory). >Confidential: no >Severity: critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Dec 10 11:10:00 PST 1998 >Closed-Date: Thu May 25 08:46:08 PDT 2000 >Last-Modified: Thu May 25 08:46:08 PDT 2000 >Originator: msoffen@iso-ne.com >Release: 1.3.3 >Organization: >Environment: Standard C Compiler IRIX64 mis1 6.4 02121744 IP27 It was compiled with standard options for irix/sgi (I didn't change anything) >Description: Instead of generating a simple link for a page, it is getting additional data.
  • MA_AGC_ISO_1998110301_19981105130435.CSV.gzs/participant/50051/MA/README The BIGGEST security problem is that occasionally it gets data from /etc/passwd and displays it all (including the encrypted passwords). >How-To-Repeat: Have a directory with over 1000 files. I unfortunatly can't supply you with a URL (its behind firewalls and is confidential information). >Fix: I was able to track the bug into the function output_directories (/modules/standard/mod_autoindex.c) and have currently kludged a fix to it. The problem appears to be when the function ap_rvputs(r, "
  • ", t2, "", pad, NULL); is called. The pad function. The pad variable has random garbage from RAM inserted into it (at least for non-fancy indexing). For my quick fix, I explicitly told it to use a " " when it was not fancy indexing instead of the pad with bogus data. ap_rvputs(r, "
  • ", t2, "", (autoindex_opts & FANCY_INDEXING) ? pad : " ", NULL); The fix should be to ensure that any/all places that pad is used that it gets initialized to '\0's. >Release-Note: >Audit-Trail: Release-Changed-From-To: Apache 1.3.3-1.3.3 Release-Changed-By: coar Release-Changed-When: Wed Mar 24 12:08:27 PST 1999 Category-Changed-From-To: os-irix-mod_autoindex Category-Changed-By: coar Category-Changed-When: Wed Mar 24 12:08:27 PST 1999 State-Changed-From-To: open-closed State-Changed-By: coar State-Changed-When: Thu May 25 08:46:07 PDT 2000 State-Changed-Why: This was fixed around the 1.3.6 timeframe, I believe. >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]