5289484 2000-07-21 21:52 /36 rader/ Postmaster
Mottagare: Bugtraq (import) <11850>
Ärende: Roxen Web Server Vulnerability
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
Message-ID: <20000721074818.A10870@sdf.freeshell.org>
Date: Fri, 21 Jul 2000 07:48:18 +0000
Reply-To: zorgon@SDF.FREESHELL.ORG
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: zorgon@SDF.FREESHELL.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
Hi all,
Excuse-me for my poor english :) I discover two problems in Roxen Web
server 2.0.46 (and certainly prior). Perhaps it doesn't important.
* First problem: Suppose that Roxen is installed by default in
/usr/local, the
/usr/local/roxen/configurations/_configinterface/settings/administrator_uid
file holds the crypt password of the Web server's administrator. By
default, the permissions are on 644. So, it allows a local user to
read and decrypt the password.
* Second problem: If you typed the URL: http://www.victim.com/%00/,
you will see the contents of site in question. This vulnerability was
directly tested on the Roxen's web site: http://www.roxen.com
--
zorgon@sdf.lonestar.org
Web Site : http://www.nightbird.fr.st
(5289484) ------------------------------------------(Ombruten)
5290705 2000-07-23 00:00 /46 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <11866>
Ärende: Roxen security alert: Problems with URLs containing null
------------------------------------------------------------
characters.
Roxen 2.0 up to version 2.0.68 has a vulnerability where using URLs
containing null characters can gain the browser access to information
he is not authorized to:
* Directory listings in directories with index files
* In normal filesystems: the sourcecode for RXML files, Pike
scripts, CGIs etc.
* information protected by .htaccess files might be revealed under
special circumstances
Systems Affected
All Roxen 2.0 releases before 2.0.69. We have been unable to
reproduce the problem with Roxen 1.3, but this is not fully analyzed
yet, so it is suggested that a patch is applied as a precaution.
Roxen SiteBuilder is ONLY affected by the directory listing
vulnerability.
Solution
An update package labeled 'Fix for "%00" vulnerability' is available
from the Roxen 2.0 update server. Use the administration interface
to download and install this fix. Note that the server needs to be
restarted when the fix is installed.
A patch for Roxen 1.3.122 (the latest 1.3 release) is a available as
ftp://ftp.roxen.com/pub/roxen/patches/roxen_1.3.122-http.pike.patch
and should be applied to server/protocols/http.pike.
The Roxen 2.0 upgrade package is also available as a patch if the
update server can not be used for some reason:
ftp://ftp.roxen.com/pub/roxen/patches/roxen_2.0.50-http.pike.patch
Credits
Problem originally reported by <zorgon@sdf.lonestar.org> Further
comments on the problem by Elias Levy <aleph1@underground.org>
--
Peter Bortas http://peter.bortas.org
Roxen IS http://www.roxen.com
(5290705) ------------------------------------------(Ombruten)