Vulnerability

    Roxen

Affected

    All systems running Roxen with the Pike-tag enabled.

Description

    Peter Bortas found  following.  Following  some discussion on  the
    Roxen  mailing  list  a  rather  nasty  exploit that works on many
    Roxen servers was discovered.  This also applies to a less  degree
    of all systems running Roxen with the main RXML-parser enabled.

    Due to the recursive  nature of RXML it  is vital that input  from
    the client is  properly quoted or  stopped from further  recursive
    parsing.  The  code  for  the  <referer>-tag  missed  to  do  this
    properly.  OBSERVE: You are not protected just because you are not
    using the <referer>-tag!

Solution

    Apply this patch to htmlparse.pike:

    --- htmlparse.pike      1999/05/25 11:40:57     1.180
    +++ htmlparse.pike      1999/10/05 08:30:18
    @@ -2521,7 +2521,7 @@
       if(m->help)
         return ("Compatibility alias for referrer");
       if(id->referer)
    -    return sizeof(id->referer)?id->referer*"":m->alt?m->alt:"..";
    +    return sizeof(id->referer)?({ id->referer*"" }):m->alt?m->alt:"..";
       return m->alt?m->alt:"..";
     }

    cd to the Roxen directory and run:

        patch server/modules/tags/htmlparse.pike < file_with_patch

    Or, disable the RXML-parser in  all you Roxen servers.   This will
    also  automaticly  disable  the  Pike-tag.   The  patch  is   also
    available as

        ftp://ftp.roxen.com/pub/roxen/patches/roxen_1.3.111-htmlparse.pike.patch