>From Mindsec.com Via Roxen-Announce mailing list. Begin Forward: Following some discussion on the Roxen mailing list a rather nasty exploit that works on many Roxen servers was discovered. Systems Affected: All systems running Roxen with the Pike-tag enabled. It also applies to a less degree to all systems running Roxen with the main RXML-parser enabled. Description: Due to the recursive nature of RXML it is vital that input from the client is properly quoted or stopped from further recursive parsing. The code for the <referer>-tag missed to do this properly. OBSERVE: You are not protected just because you are not using the <referer>-tag! Why will be explained in a later post containing instructions on how this can be exploited. Fix your server now. Solution: Apply this patch to htmlparse.pike: -----8<--------------------------------------------------- --- htmlparse.pike 1999/05/25 11:40:57 1.180 +++ htmlparse.pike 1999/10/05 08:30:18 @@ -2521,7 +2521,7 @@ if(m->help) return ("Compatibility alias for referrer"); if(id->referer) - return sizeof(id->referer)?id->referer*"":m->alt?m->alt:".."; + return sizeof(id->referer)?({ id->referer*"" }):m->alt?m->alt:".."; return m->alt?m->alt:".."; } -----8<--------------------------------------------------- cd to the Roxen directory and run: patch server/modules/tags/htmlparse.pike < file_with_patch Or, disable the RXML-parser in all you Roxen servers. This will also automaticly disable the Pike-tag. Note: I have purposefully not said how to make a general exploit for this. I would appreciate if those of you who are clever enough to figure it out for yourselves would keep that information to yourselves for the next 48hrs or so unless you find a very good reason it must be told. Hopefully that will give administrators enough time to fix most installations. The patch is also available as ftp://ftp.roxen.com/pub/roxen/patches/roxen_1.3.111-htmlparse.pike.patch -- Peter Bortas http://peter.bortas.org Idonex AB http://www.idonex.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:56 PDT