|
Vulnerability Roxen Web Server Affected All Roxen 2.0 releases before 2.0.69 Description 'zorgon' found following. He discover two problems in Roxen Web server 2.0.46 (and certainly prior). Perhaps it doesn't important. * First problem: Suppose that Roxen is installed by default in /usr/local, the /usr/local/roxen/configurations/_configinterface/settings/administrator_uid file holds the crypt password of the Web server's administrator. By default, the permissions are on 644. So, it allows a local user to read and decrypt the password. * Second problem: If you typed the URL: http://www.victim.com/%00/ you will see the contents of site in question. This bug was directly tested on the Roxen's web site. So, Roxen 2.0 up to version 2.0.68 has a vulnerability where using URLs containing null characters can gain the browser access to information he is not authorized to: * Directory listings in directories with index files * In normal filesystems: the sourcecode for RXML files, Pike scripts, CGIs etc. * information protected by .htaccess files might be revealed under special circumstances Solution Roxen SiteBuilder is ONLY affected by the directory listing vulnerability. An update package labeled 'Fix for "%00" vulnerability' is available from the Roxen 2.0 update server. Use the administration interface to download and install this fix. Note that the server needs to be restarted when the fix is installed. A patch for Roxen 1.3.122 (the latest 1.3 release) is a available as ftp://ftp.roxen.com/pub/roxen/patches/roxen_1.3.122-http.pike.patch and should be applied to server/protocols/http.pike. The Roxen 2.0 upgrade package is also available as a patch if the update server can not be used for some reason: ftp://ftp.roxen.com/pub/roxen/patches/roxen_2.0.50-http.pike.patch