[UNIX] Roxen Vulnerable to URL Decoding Attack

From: support@securiteam.com
Date: 08/07/01

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Roxen Vulnerable to URL Decoding Attack
Message-Id: <20010807060757.BA5B0138C4@mail.der-keiler.de>
Date: Tue,  7 Aug 2001 08:07:57 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  Roxen Vulnerable to URL Decoding Attack


Roxen Web server 2.0 up to version 2.0.92 and 2.1 up to version 2.1.264
suffer from a vulnerability that allows any user to retrieve any file from
the host with the privileges of the web server. Having the CGI-module
enabled escalates the problem by making it possible to run any executable.


Vulnerable systems:
All Roxen 2.0 releases on all OS's before 2.0.92.
All Roxen 2.1 releases on all OS's before 2.1.264.
Whether or not the "URL-rectifier" module is enabled is not relevant.
Immune systems:
 * Roxen versions 1.3 and earlier are not affected unless the unofficial
de-UTF8 or URL rectifier modules are installed and enabled.
 * Roxen Platform/SiteBuilder is not affected unless any of the following
modules have been added to the server:
 * Normal File system
 * Restricted file system
 * User file system
 * Frontpage Script support
  * CGI scripting support
 * Fast CGI support

These modules are NOT part of a normal Platform/SiteBuilder setup.

In Roxen 2.0 a new module was introduced which decodes URLs encoded using
UTF-8 (and later Mac and iso-2202 encoding). The problem is that the newly
decoded URL is not normalized and can contain references to files outside
of the directories served by the web server.

An update package labeled 'Fix for file access vulnerability' is available
from the Roxen 2.1 update server for users of the 2.1.247 and 2.1.262
releases. Use the administration interface to download and install this
fix. Note that the server needs to be restarted when the fix is installed.

Patches and instructions how to apply them for all 2.x releases are
available at <http://download.roxen.com/> http://download.roxen.com/ on
the download page for the version of Roxen you are using.

All 2.x releases on download.roxen.com are patched.

Users of Roxen 1.3 should make sure that they do not have de-UTF8 or URL
rectifier modules enabled in any virtual server.


The information has been provided by <mailto:peter@idonex.se> Peter
Bortas and <mailto:dhedbor@real.com> David Hedbor.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.