4377148 1999-10-09 00:10 /76 rader/ Postmaster Mottagare: Bugtraq (import) <8115> Mottagare: Roxen erfarenhetsutbyte och användarforum <5870> Sänt: 1999-10-09 02:33 Sänt av Henrik Grubbström (Lysator) Markerad av 1 person. Ärende: Roxen security alert ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.LNX.4.10.9910061837001.2848-100000@noella.mindsec.com> Date: Wed, 6 Oct 1999 18:38:42 -0600 Reply-To: Erik Parker <eparker@MINDSEC.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Erik Parker <eparker@MINDSEC.COM> X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM From Mindsec.com Via Roxen-Announce mailing list. Begin Forward: Following some discussion on the Roxen mailing list a rather nasty exploit that works on many Roxen servers was discovered. Systems Affected: All systems running Roxen with the Pike-tag enabled. It also applies to a less degree to all systems running Roxen with the main RXML-parser enabled. Description: Due to the recursive nature of RXML it is vital that input from the client is properly quoted or stopped from further recursive parsing. The code for the <referer>-tag missed to do this properly. OBSERVE: You are not protected just because you are not using the <referer>-tag! Why will be explained in a later post containing instructions on how this can be exploited. Fix your server now. Solution: Apply this patch to htmlparse.pike: -----8<--------------------------------------------------- --- htmlparse.pike 1999/05/25 11:40:57 1.180 +++ htmlparse.pike 1999/10/05 08:30:18 @@ -2521,7 +2521,7 @@ if(m->help) return ("Compatibility alias for referrer"); if(id->referer) - return sizeof(id->referer)?id->referer*"":m->alt?m->alt:".."; + return sizeof(id->referer)?({ id->referer*"" }):m->alt?m->alt:".."; return m->alt?m->alt:".."; } -----8<--------------------------------------------------- cd to the Roxen directory and run: patch server/modules/tags/htmlparse.pike < file_with_patch Or, disable the RXML-parser in all you Roxen servers. This will also automaticly disable the Pike-tag. Note: I have purposefully not said how to make a general exploit for this. I would appreciate if those of you who are clever enough to figure it out for yourselves would keep that information to yourselves for the next 48hrs or so unless you find a very good reason it must be told. Hopefully that will give administrators enough time to fix most installations. The patch is also available as ftp://ftp.roxen.com/pub/roxen/patches/roxen_1.3.111-htmlparse.pike.patch -- Peter Bortas http://peter.bortas.org Idonex AB http://www.idonex.com (4377148) -----------------------------------