-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0075 Title: Apache Execute arbitrary code/commands - Remote/unauthenticated [1] Version history: 14.10.2013 Initial publication Summary ======= Robert Matthews discovered that the Apache FCGID module, a FastCGI implementation for Apache HTTP Server, fails to perform adequate boundary checks on user-supplied input. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. CVE numbers: CVE-2013-4365 Affected Versions ================= Apache mod_fcgid FastCGI software Original Details ================ The basic problem is that you can crash an Apache process running mod_fcgid with this trivial one-line PHP script: error_log(str_repeat("x", 20000)); The crash happens in fcgid_header_bucket_read() of fcgid_bucket.c, which does a memcpy of the 20000 bytes into an 8000 byte buffer. In the 'if (header.type == FCGI_STDERR)' section beginning at line 112, the code allocates a buffer of APR_BUCKET_BUFF_SIZE, which is 8000 bytes. However, the FastCGI spec says that the message can be up to 65535 bytes. What can you do? ================ The update can be done directly in the sourcr code. [2] There is also updates vendor depending. [3], [4] What to tell your users ======================= N/A More information ================ [1] http://blog.tigertech.net/posts/cve-2013-4365/ [2] http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bucket.c?r1=1030894&r2=1527362&diff_format=h [3] https://bugzilla.redhat.com/show_bug.cgi?id=1017039 [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725942 Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJSXA3EAAoJEPpzpNLI8SVoNycP/A226FPiFMaUCH9MG9dzGHTk bJlIhnRNN9wUHarWKrpecFCKBTWJGiNqci1ZjzuyyUbn0slIw4hmx+jjg8MZSkAP DWg0cYU0WpQnTgA4m0Zz51coXW95J9egumTlh04c+zTXHw1R6fv8qqabxKk4GOt7 QjL4ZnXnShnH4gunxhQwc1hhza1LuAVWg3zcbqNW9SCW358fJB8OqO6I0zkiPBMd N4jaecD4uIjQSFW5uFW2M9o/elI+nspIfu6CHcPEFgKCv3S7p3sXmr4AOL2CiI+u nSFPSb3r5PQ74TViCO++tSNo9bA/b6qFwdnchFCTKy4Jfj3UmggsLPXd5sUvM4rm IT/+QWf1+P75mi4HOcHIGwY8MIzZB04C5Sj0pUXtG4CvPkyWT7O0cuMxqAiqmwTl 2kxT8SfGR/KxLOBlvfbnQPXwaG8jWMlc+lOCnBiLfHn2giy4XMB0z7OO/d93Nz0I z0AFkKmB5SB2tTD8xuLdqTWoF2YSJ6ee0wcnB0JSOgf2CYlpBS04J8DsHY+yhSVE t6cQe9ohl6aVhFnRjq3jo4xBER1M8RhnU0v55CvG8Bk1oDpww8EhTyQ5IT5UrjHS 8RUeOboNzhepvzb6aRPm4N5PduZSxVUIVIbnFvOyOTOIuKaUjURZ6UuY+BXhi95G +Z3kPCel3j+dF4z8j5l6 =ozs5 -----END PGP SIGNATURE-----