[22101] in bugtraq
FW: Security alert: Remote user can access any file
daemon@ATHENA.MIT.EDU (jkowall)
Fri Aug 3 00:46:55 2001
From: "jkowall" <jkowall@shocking.net>
To: "BugTraq List" <bugtraq@securityfocus.com>
Date: Thu, 2 Aug 2001 16:37:17 -0400
Message-ID: <D6E67FDE85B57145A813D522FFCFABCD4B2AEC@coco.cinteractive.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Just posted 10 minutes ago to the roxen lists. Notifying any Roxen
users that this is a important ugrade!
-----Original Message-----
From: peter@kronan.idonex.se [mailto:peter@kronan.idonex.se] On Behalf
Of Peter Bortas
Sent: Thursday, August 02, 2001 4:24 PM
To: roxen@roxen.com
Cc: roxen-alpha@roxen.com
Subject: Security alert: Remote user can access any file
Roxen Webserver 2.0 up to version 2.0.92 and 2.1 up to version 2.1.264
has a vulnerability that allows any user to retrieve any file from the
host with the privileges of the web server. Having the CGI-module
enabled escalates the problem by making it possible to run any
executable.
Systems affected
All Roxen 2.0 releases on all OS's before 2.0.92.
All Roxen 2.1 releases on all OS's before 2.1.264.
Roxen Platform/SiteBuilder is not affected unless any
of the following modules have been added to the server:
* Normal File system
* Restricted file system
* User file system
* Frontpage Script support
* CGI scripting support
* Fast CGI support
* Plain filesystem
These modules are NOT part of a normal Platform/SiteBuilder setup.
Roxen versions 1.3 and earlier are not affected unless the
unofficial de-UTF8 or URL rectifier modules are installed and
enabled.
Solution
An update package labeled 'Fix for file access vulnerability' is
available from the Roxen 2.1 update server for users of the 2.1.247
and 2.1.262 releases. Use the administration interface to download and
install this fix. Note that the server needs to be restarted when the
fix is installed.
Patches and instructions how to apply them for all 2.x releases are
available at
http://download.roxen.com/
on the download page for the version of Roxen you are using.
All 2.x releases available on download.roxen.com are patched.
Users of Roxen 1.3 should make sure that they do not have de-UTF8 or
URL rectifier modules enabled in any virtual server.
Further information
If you have questions post them on the Roxen mailing list or to
bugs@roxen.com. If you have a support contract with Roxen you can
contact Roxen through the normal support channels.
Credits
Problem reported with suggestion of fix by David Hedbor.
--
Peter Bortas http://peter.bortas.org
Roxen IS http://www.roxen.com
