COMMAND

    Roxen Web Server

SYSTEMS AFFECTED

    All Roxen 2.0 releases before 2.0.69

PROBLEM

    'zorgon' found following.  He  discover two problems in Roxen  Web
    server  2.0.46  (and   certainly  prior).    Perhaps  it   doesn't
    important.

    * First problem:
      Suppose that Roxen is installed by default in /usr/local, the

        /usr/local/roxen/configurations/_configinterface/settings/administrator_uid

      file holds the crypt password of the Web server's administrator.
      By default, the permissions are on  644.  So, it allows a  local
      user to read and decrypt the password.

    * Second problem:
      If you typed the URL:

        http://www.victim.com/%00/

      you will see  the contents of  site in question.   This bug  was
      directly tested on the Roxen's web site.

    So, Roxen 2.0 up to version 2.0.68 has a vulnerability where using
    URLs containing  null characters  can gain  the browser  access to
    information he is not authorized to:

        * Directory listings in directories with index files
        * In normal filesystems:  the sourcecode for RXML  files, Pike
          scripts, CGIs etc.
        * information protected by  .htaccess files might be  revealed
          under special circumstances

SOLUTION

    Roxen  SiteBuilder  is  ONLY  affected  by  the  directory listing
    vulnerability.   An   update  package  labeled   'Fix  for   "%00"
    vulnerability' is available from the Roxen 2.0 update server.  Use
    the administration  interface to  download and  install this  fix.
    Note  that  the  server  needs  to  be  restarted  when the fix is
    installed.

    A patch for Roxen 1.3.122 (the latest 1.3 release) is a  available
    as

        ftp://ftp.roxen.com/pub/roxen/patches/roxen_1.3.122-http.pike.patch

    and should  be applied  to server/protocols/http.pike.   The Roxen
    2.0 upgrade  package is  also available  as a  patch if the update
    server can not be used for some reason:

        ftp://ftp.roxen.com/pub/roxen/patches/roxen_2.0.50-http.pike.patch