CVE-2009-2281

Name of the Vulnerable Software and Affected Versions MapServer versions 4.x through 4.10.4 MapServer versions 5.x before 5.4.2

Description The issue is related to multiple heap-based buffer underflows in the readPostBody function in cgiutil.c in mapserv. This allows remote attackers to execute arbitrary code via a crafted Content-Length HTTP header or a large HTTP request. The problem is also related to an integer overflow that triggers a heap-based buffer overflow. This issue reportedly exists because of an incomplete fix for a previous problem.

Recommendations For MapServer versions 4.x through 4.10.4, update to a version later than 4.10.4 to resolve the issue. For MapServer versions 5.x before 5.4.2, update to version 5.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the readPostBody function in cgiutil.c to minimize the risk of exploitation.