COMMAND
Roxen Web Server
SYSTEMS AFFECTED
All Roxen 2.0 releases before 2.0.69
PROBLEM
'zorgon' found following. He discover two problems in Roxen Web
server 2.0.46 (and certainly prior). Perhaps it doesn't
important.
* First problem:
Suppose that Roxen is installed by default in /usr/local, the
/usr/local/roxen/configurations/_configinterface/settings/administrator_uid
file holds the crypt password of the Web server's administrator.
By default, the permissions are on 644. So, it allows a local
user to read and decrypt the password.
* Second problem:
If you typed the URL:
http://www.victim.com/%00/
you will see the contents of site in question. This bug was
directly tested on the Roxen's web site.
So, Roxen 2.0 up to version 2.0.68 has a vulnerability where using
URLs containing null characters can gain the browser access to
information he is not authorized to:
* Directory listings in directories with index files
* In normal filesystems: the sourcecode for RXML files, Pike
scripts, CGIs etc.
* information protected by .htaccess files might be revealed
under special circumstances
SOLUTION
Roxen SiteBuilder is ONLY affected by the directory listing
vulnerability. An update package labeled 'Fix for "%00"
vulnerability' is available from the Roxen 2.0 update server. Use
the administration interface to download and install this fix.
Note that the server needs to be restarted when the fix is
installed.
A patch for Roxen 1.3.122 (the latest 1.3 release) is a available
as
ftp://ftp.roxen.com/pub/roxen/patches/roxen_1.3.122-http.pike.patch
and should be applied to server/protocols/http.pike. The Roxen
2.0 upgrade package is also available as a patch if the update
server can not be used for some reason:
ftp://ftp.roxen.com/pub/roxen/patches/roxen_2.0.50-http.pike.patch