NCSA HTTPD 1.3 Security Problem

Keith Robison robison at
Thu Feb 16 09:39:28 EST 1995

For those webmasters who haven't seen it yet, there is a security hole
in NCSA HTTPD 1.3 which can apparently be exploited by an automated
script.  NCSA has not yet provided fixed source or binaries, but
the CIAC folks recommend a simple fix in the source.  I have recompiled
NCSA httpd 1.3 for SunOS 4.x using gcc, and this binary is available 
via anonymous FTP

Replace your existing httpd binary with this one and restart the server.

CIAC advisory attached.

Keith Robison
Harvard University
Department of Cellular and Developmental Biology
Department of Genetics / HHMI

robison at 

>             _____________________________________________________
>                        The U.S. Department of Energy
>                     Computer Incident Advisory Capability
>                            ___  __ __    _     ___
>                           /       |     /_\   /
>                           \___  __|__  /   \  \___
>             _____________________________________________________

>                                ADVISORY NOTICE

>                         Unix NCSA httpd Vulnerability

> February 14, 1995 1030 PST                                        Number F-11
> _____________________________________________________________________________

> PROBLEM:       A vulnerability has been discovered in the NCSA WWW server
>                software (httpd).
> PLATFORMS:     Unix systems running NCSA httpd version 1.3.
> DAMAGE:        Remote users may gain unauthorized access.
> SOLUTION:      Implement workaround as described below.
> _____________________________________________________________________________

> VULNERABILITY  This vulnerability, along with an automated exploitation
> ASSESSMENT:    script, has been announced in public forums on the Internet.
>                CIAC recommends that sites install the workaround on affected 
>                systems as soon as possible.
> _____________________________________________________________________________

>           Critical Information about the NCSA httpd Vulnerability

> CIAC has learned of a serious vulnerability in the NCSA WWW server software,
> httpd.  By sending a carefully constructed request to the WWW server, an
> intruder can cause an internal buffer overflow and push arbitrary 
> instructions onto the program stack.  These new instructions may allow the
> intruder unauthorized access to the WWW server.

> Until official patches are available from NCSA, CIAC recommends the following
> temporary fix be installed.  In the file httpd.h, change the string length
> definitions from:

>       /* The default string lengths */
>       #define MAX_STRING_LEN 256
>       #define HUGE_STRING_LEN 8192

> to:

>       /* The default string lengths */
>       #define HUGE_STRING_LEN 8192

> Then rebuild, install, and restart the new httpd server.

> It is likely that these attacks will generate unusual server log entries.  
> The httpd access_log file should be examined for unusual requests, especially
> those containing control characters.

> Note that while this workaround addresses the vulnerability currently being
> exploited, there are likely to be other similar vulnerabilities present in
> this and other WWW server software.  To lessen the chance of compromise, it
> is strongly recommended that WWW servers run as unprivileged users (e.g.
> user "nobody") and that they be locked into a restricted filesystem via the
> chroot() system call.  For more information, please see CIAC Document 2308, 
> "Securing Internet Information Servers," which is available via anonymous
> FTP from in the directory /pub/ciac/ciacdocs/.

More information about the Bio-www mailing list