CVE-2007-4060
published 2007-07-30CVE-2007-4060: Multiple buffer overflows in the HttpSprockMake function in http.c in Frank Yaul corehttp 0.5.3alpha allow remote attackers to execute arbitrary code via a…
PriorityP349critical9CVSS 2.0
AVNACLAuNCPIPAC
EXPLOIT
EPSS
5.38%
91.7th percentile
Multiple buffer overflows in the HttpSprockMake function in http.c in Frank Yaul corehttp 0.5.3alpha allow remote attackers to execute arbitrary code via a long string in the (1) method name or (2) URI in an HTTP request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frank_yaul | corehttp | — | — |
| frank_yaul | corehttp | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-247h-6fhv-4v2c: Off-by-one error in src/http
ghsa_unreviewed·2022-05-02·CVSS 9.0
CVE-2009-3586 [CRITICAL] GHSA-247h-6fhv-4v2c: Off-by-one error in src/http
Off-by-one error in src/http.c in CoreHTTP 0.5.3.1 and earlier allows remote attackers to cause a denial of service or possibly execute arbitrary code via an HTTP request with a long first line that triggers a buffer overflow. NOTE: this vulnerability reportedly exists because of an incorrect fix for CVE-2007-4060.
GHSA
GHSA-prgf-2j5r-6m96: Multiple buffer overflows in the HttpSprockMake function in http
ghsa_unreviewed·2022-05-01
CVE-2007-4060 [HIGH] GHSA-prgf-2j5r-6m96: Multiple buffer overflows in the HttpSprockMake function in http
Multiple buffer overflows in the HttpSprockMake function in http.c in Frank Yaul corehttp 0.5.3alpha allow remote attackers to execute arbitrary code via a long string in the (1) method name or (2) URI in an HTTP request.
No detection rules found.
Exploit-DB
CoreHTTP Web server 0.5.3.1 - Off-by-One Buffer Overflow
exploitdb·2009-12-02·CVSS 9.0
CVE-2009-3586 [CRITICAL] CoreHTTP Web server 0.5.3.1 - Off-by-One Buffer Overflow
CoreHTTP Web server 0.5.3.1 - Off-by-One Buffer Overflow
---
# bugtraq: http://seclists.org/bugtraq/2009/Dec/99
# census ID: census-2009-0003
# URL: http://census-labs.com/news/2009/12/02/corehttp-web-server/
# CVE ID: CVE-2009-3586
# Affected Products: CoreHTTP web server versions buffer,
# 46: "%" PATHSIZE_S "[A-Za-z] %" PATHSIZE_S "s%*[ \t\n]", req, url);
#
# The buffers req and url are declared to be of size 256 bytes (PATHSIZE)
# and the sscanf() call writes 256 bytes (PATHSIZE_S) to these buffers
# without NULL terminating them.
#
# Note that this is not vulnerability CVE-2007-4060 in which the same
# sscanf() call contained no bounds check at all.
#
# This vulnerability can lead to denial of service attacks against the
# CoreHTTP web server and potentially to the remote execution
Exploit-DB
CoreHTTP 0.5.3alpha - HTTPd Remote Buffer Overflow
exploitdb·2007-07-29
CVE-2007-4060 CoreHTTP 0.5.3alpha - HTTPd Remote Buffer Overflow
CoreHTTP 0.5.3alpha - HTTPd Remote Buffer Overflow
---
/*[ corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. ]**********
* *
* by: vade79/v9 [email protected] (fakehalo/realhalo) *
* *
* compile: *
* gcc xcorehttp.c -o xcorehttp *
* *
* syntax: *
* ./xcorehttp [-r] -h host -p port *
* *
* corehttp homepage/url: *
* http://corehttp.sourceforge.net/ *
* *
* bug(http.c): *
* ----------------------------------------------------------------------- *
* struct sprock_t *HttpSprockMake(struct sprock_t *parentsprock) { *
* struct sprock_t *sprocket; *
* char req[PATHSIZE], url[PATHSIZE], status[PATHSIZE], temp[BUFSIZE], *
* ... *
* if ((sprocket = (struct sprock_t *) *
* malloc(sizeof(struct sprock_t))) == NULL) return NULL; *
* ... *
* sscanf(parentsprock->buffer, "%[A-Za-z] %s%*[ \t\n]"
No writeups or analysis indexed.
2007-07-30
Published