6838120 2001-08-02 23:42 +0200  /68 rader/ Peter Bortas <peter@idonex.se>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-03  04:38  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18606>
Ärende: Roxen security alert: URL decoding vulnerable
------------------------------------------------------------
From: Peter Bortas <peter@idonex.se>
To: bugtraq@securityfocus.com
Message-ID: <76wv4m9m0u.fsf@kronan.idonex.se>


Roxen Webserver 2.0 up to version 2.0.92 and 2.1 up to version
2.1.264 has a vulnerability that allows any user to retrieve any file
from the host with the privileges of the web server. Having the
CGI-module enabled escalates the problem by making it possible to run
any executable.

Description

  In Roxen 2.0 a new module was introduced which decodes URLs encoded
  using UTF-8 (and later Mac and iso-2202 encoding). The problem is
  that the newly decoded URL is not normalized and can contain
  references to files outside of the directories served by the web
  server.

Systems affected

  All Roxen 2.0 releases on all OS's before 2.0.92.
  All Roxen 2.1 releases on all OS's before 2.1.264.
  
  Whether or not the "URL-rectifier" module is enabled is not
relevant.

  Roxen Platform/SiteBuilder is not affected unless any
  of the following modules have been added to the server:

    * Normal File system
    * Restricted file system
    * User file system
    * Frontpage Script support
    * CGI scripting support
    * Fast CGI support
    * Plain filesystem

  These modules are NOT part of a normal Platform/SiteBuilder setup.

  Roxen versions 1.3 and earlier are not affected unless the
  unofficial de-UTF8 or URL rectifier modules are installed and
  enabled.

Solution

  An update package labeled 'Fix for file access vulnerability' is
  available from the Roxen 2.1 update server for users of the 2.1.247
  and 2.1.262 releases. Use the administration interface to download
  and install this fix. Note that the server needs to be restarted
  when the fix is installed.

  Patches and instructions how to apply them for all 2.x releases are
  available at
  http://download.roxen.com/
  on the download page for the version of Roxen you are using.

  All 2.x releases on download.roxen.com are patched.

  Users of Roxen 1.3 should make sure that they do not have de-UTF8 or
  URL rectifier modules enabled in any virtual server.

Credits

  Problem reported with suggestion of fix by David Hedbor
<dhedbor@real.com>

--
Peter Bortas, Roxen Internet Software AB
David Hedbor, Real Networks Inc.
(6838120) /Peter Bortas <peter@idonex.se>/(Ombruten)