bbs2www 2.01我简单看了一下
只找到三个明显的buf overflow和一个输入检查不充分
这三个overflow都不太好利用 但是不排除被利用入侵
的可能性,尤其是bbssdm.c的那个overflow,是明显可以
被利用的.
bbssdm.c同时也有输入检查不足的问题
patch附后,因为我没有使用fb2000,所以编译bbs2www 2.01
不是太方便,这个patch没有经过测试.
diff -u bbs2www-2.01/bbs0an.c bbs2www-2.01-n/bbs0an.c
--- bbs2www-2.01/bbs0an.c Sat Feb 24 05:28:59 2001
+++ bbs2www-2.01-n/bbs0an.c Thu Mar 21 15:53:28 2002
@@ -41,7 +41,7 @@
path = cgi_get ("path");
- sprintf (filename, "%s/0Announce%s/.Names", BBSHOME, path);
+ snprintf (filename, sizeof(filename),"%s/0Announce%s/.Names", BBSHOME, path);
if (!(inf = fopen (filename, "r")))
{
diff -u bbs2www-2.01/bbsanc.c bbs2www-2.01-n/bbsanc.c
--- bbs2www-2.01/bbsanc.c Tue Mar 6 04:01:23 2001
+++ bbs2www-2.01-n/bbsanc.c Thu Mar 21 15:52:41 2002
@@ -45,7 +45,7 @@
path = cgi_get ("path");
- sprintf (buf, "%s/0Announce%s", BBSHOME, path);
+ snprintf (buf, sizeof(buf),"%s/0Announce%s", BBSHOME, path);
cgi_quit ();
diff -u bbs2www-2.01/bbssdm.c bbs2www-2.01-n/bbssdm.c
--- bbs2www-2.01/bbssdm.c Sat Feb 24 05:29:00 2001
+++ bbs2www-2.01-n/bbssdm.c Thu Mar 21 16:01:49 2002
@@ -22,6 +22,21 @@
#include "bbs2www.h"
+int
+invalid(char *to)
+{
+ int i=0;
+ while(to[i]){
+ if(!(to[i]>='a'&&to[i]<='z'
+ ||to[i]>='A'&&to[i]<='Z'
+ ||to[i]>='0'&&to[i]<='9'
+ ||to[i]=='.'||to[i]=='@')
+ return 1;
+ i++;
+ }
+ return 0;
+}
+
static char *
autocr (char *post)
{
@@ -129,7 +144,10 @@
if (ALLOW_INTERNET_EMAIL != 1)
show_error ("Internet Email not allowed in this BBS");
- sprintf (filename, "%s -f %s.bbs@%s %s", SEND_MAIL,
+ if(invalid(to))
+ show_error("Invalid Email Address");
+
+ snprintf (filename,sizeof(filename), "%s -f %s.bbs@%s %s", SEND_MAIL,
cookie.id, BBSHOST, to);
fout = popen (filename, "w");
if (fout == NULL)
--