VULHUB ™

YOPS（Your Own Personal [WEB] Server）是用C编写的Linux平台HTTP服务器。 YOPS服务器的http_parse_request_header函数没有对从HTTP命令（(HEAD/GET/POST）所接收到的缓冲区执行边界检查便在swebs_record_log函数中用作了logger变量的参数，超长请求参数可以触发缓冲区溢出，导致执行任意代码。以下是有漏洞的代码段： --- http.c snippet --- int http_parse_request_header(char *data, struct http_request_header *h) { int r; int ver, rev; char *s, *tok, *l, *prm; [...] r = sscanf(h->http, " HTTP/%d.%d ", &ver, &rev); if (r != 2) return -400; [...] } --- END snippet --- --- swebs.c snippet --- int swebs_record_log(int log, JOB *job) { int err; time_t now; char timestr[32]; char logrec[MAX_REQUEST_LINE_LEN + 1]; [...] sprintf ( logrec, "%s\t[%s]\t\"%s\"\t(%d+%d/%d)\t%d", job->client, timestr, job->hdr.request_line, job->response_hlen, job->response_blen_sent, job->response_blen, job->status ); [...] } --- END snippet --- yoopss YOPS 2009 厂商补丁： yoopss ------ 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://sourceforge.net/projects/yops2009/

YOPS（Your Own Personal [WEB] Server）是用C编写的Linux平台HTTP服务器。 YOPS服务器的http_parse_request_header函数没有对从HTTP命令（(HEAD/GET/POST）所接收到的缓冲区执行边界检查便在swebs_record_log函数中用作了logger变量的参数，超长请求参数可以触发缓冲区溢出，导致执行任意代码。以下是有漏洞的代码段： --- http.c snippet --- int http_parse_request_header(char *data, struct http_request_header *h) { int r; int ver, rev; char *s, *tok, *l, *prm; [...] r = sscanf(h->http, " HTTP/%d.%d ", &ver, &rev); if (r != 2) return -400; [...] } --- END snippet --- --- swebs.c snippet --- int swebs_record_log(int log, JOB *job) { int err; time_t now; char timestr[32]; char logrec[MAX_REQUEST_LINE_LEN + 1]; [...] sprintf ( logrec, "%s\t[%s]\t\"%s\"\t(%d+%d/%d)\t%d", job->client, timestr, job->hdr.request_line, job->response_hlen, job->response_blen_sent, job->response_blen, job->status ); [...] } --- END snippet --- yoopss YOPS 2009 厂商补丁： yoopss ------ 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://sourceforge.net/projects/yops2009/