4377148 1999-10-09  00:10  /76 rader/ Postmaster
Mottagare: Bugtraq (import) <8115>
Mottagare: Roxen erfarenhetsutbyte och användarforum <5870>
    Sänt:     1999-10-09 02:33
    Sänt av Henrik Grubbström (Lysator)
Markerad av 1 person.
Ärende: Roxen security alert
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.LNX.4.10.9910061837001.2848-100000@noella.mindsec.com>
Date:         Wed, 6 Oct 1999 18:38:42 -0600
Reply-To: Erik Parker <eparker@MINDSEC.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Erik Parker <eparker@MINDSEC.COM>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

From Mindsec.com Via Roxen-Announce mailing list.

Begin Forward:

Following some discussion on the Roxen mailing list a rather nasty
exploit that works on many Roxen servers was discovered.

Systems Affected:

  All systems running Roxen with the Pike-tag enabled. It also applies
  to a less degree to all systems running Roxen with the main
  RXML-parser enabled.

Description:

  Due to the recursive nature of RXML it is vital that input from the
  client is properly quoted or stopped from further recursive
  parsing. The code for the <referer>-tag missed to do this properly.

  OBSERVE: You are not protected just because you are not using the
  <referer>-tag!  Why will be explained in a later post containing
  instructions on how this can be exploited. Fix your server now.

Solution:

  Apply this patch to htmlparse.pike:

-----8<---------------------------------------------------

--- htmlparse.pike      1999/05/25 11:40:57     1.180
+++ htmlparse.pike      1999/10/05 08:30:18
@@ -2521,7 +2521,7 @@
   if(m->help)
     return ("Compatibility alias for referrer");
   if(id->referer)
-    return sizeof(id->referer)?id->referer*"":m->alt?m->alt:"..";
+    return sizeof(id->referer)?({ id->referer*"" }):m->alt?m->alt:"..";
   return m->alt?m->alt:"..";
 }
-----8<---------------------------------------------------


  cd to the Roxen directory and run:
  patch server/modules/tags/htmlparse.pike < file_with_patch

  Or, disable the RXML-parser in all you Roxen servers. This will also
  automaticly disable the Pike-tag.

Note:

  I have purposefully not said how to make a general exploit for
  this. I would appreciate if those of you who are clever enough to
  figure it out for yourselves would keep that information to
  yourselves for the next 48hrs or so unless you find a very good
  reason it must be told. Hopefully that will give administrators
  enough time to fix most installations.

  The patch is also available as
  ftp://ftp.roxen.com/pub/roxen/patches/roxen_1.3.111-htmlparse.pike.patch

--
Peter Bortas                   http://peter.bortas.org
Idonex AB                      http://www.idonex.com
(4377148) -----------------------------------