Roxen Web Server Discloses Files on the Server to Remote Users and May, in Certain Configurations, Let Remote Users Execute Any Program on the Server - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > Roxen WebServer

Vendors: Roxen Internet Software AB

Roxen Web Server Discloses Files on the Server to Remote Users and May, in Certain Configurations, Let Remote Users Execute Any Program on the Server

SecurityTracker Alert ID: 1002135

SecurityTracker URL: http://securitytracker.com/id/1002135

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Aug 3 2001

Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 2.0 before version 2.0.92 and 2.1 before version 2.1.264

Description: Roxen reported a vulnerability in their Roxen Webserver that allows a remote user to view files on the server located outside of the document directory and, in certain configurations, may allow a remote user to execute any program on the server.

The vulnerability reportedly lies in a module that decodes URLs encoded using UTF-8 (and later Mac and iso-2202 encoding). The vendor reports that the issue is that the newly decoded URL is not normalized and can contain references to files outside of the directories served by the web server.

If the CGI-module is enabled, a remote user may be able to run any executable on the server.

The vendor notes that Roxen Platform/SiteBuilder is not affected unless any of the following modules have been added to the server:

* Normal File system
* Restricted file system
* User file system
* Frontpage Script support
* CGI scripting support
* Fast CGI support
* Plain filesystem

The vendor also notes that these modules are NOT part of a normal Platform/SiteBuilder setup.

Roxen versions 1.3 and earlier are reportedly not vulnerable unless the unofficial de-UTF8 or URL rectifier modules are installed and enabled.

Impact: A remote user can craft a special UTF-8 encoded URL that will retrieve files on the server that are located outside of the server's defined directories. A remote user may also be able to execute any program on the server.

Solution: The vendor has released a fix. Patches and instructions how to apply them for all 2.x releases are available at:

http://download.roxen.com/

All 2.x releases on download.roxen.com are patched.

Users of Roxen 1.3 should make sure that they do not have de-UTF8 or URL rectifier modules enabled in any virtual server.

Vendor URL: download.roxen.com/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (AIX), UNIX (FreeBSD), UNIX (HP/UX), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History: None.

Source Message Contents

Date: 02 Aug 2001 23:42:25 +0200
Subject: Roxen security alert: URL decoding vulnerable



Roxen Webserver 2.0 up to version 2.0.92 and 2.1 up to version 2.1.264
has a vulnerability that allows any user to retrieve any file from the
host with the privileges of the web server. Having the CGI-module
enabled escalates the problem by making it possible to run any executable.

Description

  In Roxen 2.0 a new module was introduced which decodes URLs encoded
  using UTF-8 (and later Mac and iso-2202 encoding). The problem is that
  the newly decoded URL is not normalized and can contain references
  to files outside of the directories served by the web server.

Systems affected

  All Roxen 2.0 releases on all OS's before 2.0.92.
  All Roxen 2.1 releases on all OS's before 2.1.264.
  
  Whether or not the "URL-rectifier" module is enabled is not relevant.

  Roxen Platform/SiteBuilder is not affected unless any
  of the following modules have been added to the server:

    * Normal File system
    * Restricted file system
    * User file system
    * Frontpage Script support
    * CGI scripting support
    * Fast CGI support
    * Plain filesystem

  These modules are NOT part of a normal Platform/SiteBuilder setup.

  Roxen versions 1.3 and earlier are not affected unless the
  unofficial de-UTF8 or URL rectifier modules are installed and
  enabled.

Solution

  An update package labeled 'Fix for file access vulnerability' is
  available from the Roxen 2.1 update server for users of the 2.1.247
  and 2.1.262 releases. Use the administration interface to download and
  install this fix. Note that the server needs to be restarted when the
  fix is installed.

  Patches and instructions how to apply them for all 2.x releases are
  available at
  http://download.roxen.com/
  on the download page for the version of Roxen you are using.

  All 2.x releases on download.roxen.com are patched.

  Users of Roxen 1.3 should make sure that they do not have de-UTF8 or
  URL rectifier modules enabled in any virtual server.

Credits

  Problem reported with suggestion of fix by David Hedbor <dhedbor@real.com>

--
Peter Bortas, Roxen Internet Software AB
David Hedbor, Real Networks Inc.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC