COMMAND
Roxen
SYSTEMS AFFECTED
All Roxen 2.0 releases before 2.0.92 and 2.1 releases before 2.1.264
PROBLEM
Roxen Webserver 2.0 up to version 2.0.92 and 2.1 up to version
2.1.264 has a vulnerability that allows any user to retrieve any
file from the host with the privileges of the web server. Having
the CGI-module enabled escalates the problem by making it possible
to run any executable.
Roxen Webserver 2.0 up to version 2.0.92 and 2.1 up to version
2.1.264 In Roxen 2.0 a new module was introduced which decodes
URLs encoded using UTF-8 (and later Mac and iso-2202 encoding).
The problem is that the newly decoded URL is not normalized and
can contain references to files outside of the directories served
by the web server. Whether or not the "URL-rectifier" module is
enabled is not relevant.
Roxen Platform/SiteBuilder is not affected unless any of the
following modules have been added to the server:
* Normal File system
* Restricted file system
* User file system
* Frontpage Script support
* CGI scripting support
* Fast CGI support
* Plain filesystem
These modules are NOT part of a normal Platform/SiteBuilder setup.
Roxen versions 1.3 and earlier are not affected unless the
unofficial de-UTF8 or URL rectifier modules are installed and
enabled.
Problem reported with suggestion of fix by David Hedbor.
SOLUTION
An update package labeled 'Fix for file access vulnerability' is
available from the Roxen 2.1 update server for users of the
2.1.247 and 2.1.262 releases. Use the administration interface
to download and install this fix. Note that the server needs to
be restarted when the fix is installed.
Patches and instructions how to apply them for all 2.x releases
are available at http://download.roxen.com/ on the download page
for the version of Roxen you are using. All 2.x releases
available on download.roxen.com are patched.
Users of Roxen 1.3 should make sure that they do not have de-UTF8
or URL rectifier modules enabled in any virtual server.