While setting up a test enviroment I noticed a vulnerable call to strcpy() in the LshttpdMain::guessCommonServerRoot() function.
char *pHome = getenv("HOME");
pServerRoots[0] = pHome;
char achBuf[MAX_PATH_LEN];
for (size_t i = 0; i < sizeof(pServerRoots) / sizeof(char *); ++i)
{
if (!pServerRoots[i])
continue;
strcpy(achBuf, pServerRoots[i]);
You can trigger the issue with:
HOME=`python2 -c 'print "A"*4128'` ./openlitespeed
It appears to be possible on 1.3.11 and 1.4.8.
Because of the stack canary (thanks -fstack-protector) it would be quite hard to make this exploitable and its only local so nothing major just a bit of code cleanliness.
Oh and the call to:
strcat(achBuf, pServerDirs[j]);
a few lines down could also cause a minor uncontrolled write if someone had some really large paths.
Thanks!