COMMAND

    Roxen

SYSTEMS AFFECTED

    All Roxen 2.0 releases before 2.0.92 and 2.1 releases before 2.1.264

PROBLEM

    Roxen Webserver  2.0 up  to version  2.0.92 and  2.1 up to version
    2.1.264 has a vulnerability that  allows any user to retrieve  any
    file from the host with the privileges of the web server.   Having
    the CGI-module enabled escalates the problem by making it possible
    to run any executable.

    Roxen Webserver  2.0 up  to version  2.0.92 and  2.1 up to version
    2.1.264 In  Roxen 2.0  a new  module was  introduced which decodes
    URLs encoded using  UTF-8 (and later  Mac and iso-2202  encoding).
    The problem is  that the newly  decoded URL is  not normalized and
    can contain references to files outside of the directories  served
    by the web server.   Whether or not the "URL-rectifier"  module is
    enabled is not relevant.

    Roxen  Platform/SiteBuilder  is  not  affected  unless  any of the
    following modules have been added to the server:

        * Normal File system
        * Restricted file system
        * User file system
        * Frontpage Script support
        * CGI scripting support
        * Fast CGI support
        * Plain filesystem

    These modules are NOT part of a normal Platform/SiteBuilder setup.

    Roxen  versions  1.3  and  earlier  are  not  affected  unless the
    unofficial  de-UTF8  or  URL  rectifier  modules are installed and
    enabled.

    Problem reported with suggestion of fix by David Hedbor.

SOLUTION

    An update package labeled  'Fix for file access  vulnerability' is
    available  from  the  Roxen  2.1  update  server  for users of the
    2.1.247 and  2.1.262 releases.   Use the  administration interface
    to download and install this fix.   Note that the server needs  to
    be restarted when the fix is installed.

    Patches and instructions  how to apply  them for all  2.x releases
    are available at  http://download.roxen.com/ on the  download page
    for  the  version  of  Roxen  you  are  using.   All  2.x releases
    available on download.roxen.com are patched.

    Users of Roxen 1.3 should make sure that they do not have  de-UTF8
    or URL rectifier modules enabled in any virtual server.