|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://www.idefense.com/intelligence/vulnerabilities/
|
| |
Vulnerable Systems:
* mod_tcl version 1.0 for Apache 2.x
Immune Systems:
* mod_tcl version 1.0.1 for Apache 2.x
Due to programmer error, user supplied data is passed as the format string specifier to several calls to an internally defined variable argument function. The function 'set_var' is declared as follows:
mod_tcl.h:117:void set_var(Tcl_Interp *interp, char *var1,
char *var2, const char *fmt, ...);
Several insecure calls to this function are made through out the code, as seen below:
tcl_cmds.c:437: set_var(interp, nm_var, (char*) key,
(char*) val);
tcl_cmds.c:2231: set_var(interp, nm_env, env[i],
sptr + 1);
tcl_core.c:650: set_var(interp, namespc,
vl[i].var2,
vl[i].var3);
Vendor response:
The Apache mod_tcl team have addressed this vulnerability with mod_tcl version 1.0.1. It is available from http://tcl.apache.org/mod_tcl/
CVE Information:
CVE-2006-4154
Disclosure Timeline:
08/16/2006 - Initial vendor notification
10/11/2006 - Initial vendor response
10/13/2006 - Coordinated public disclosure
|
|
|
|
|
