Roxen is vulnerable to recursive Pike-tag vulnerability
15 Oct. 1999
Summary
Due to the recursive nature of RXML it is vital that input from the client is properly quoted or stopped from further recursive parsing. The code for the <referer>-tag missed to do this properly.
Credit:
This information has been provided by: Erik Parker.
Vulnerable systems:
All systems running Roxen with the Pike-tag enabled are vulnerable to attack. This also applies (to a lesser degree) to all systems running Roxen with the main RXML-parser enabled.
Please note, you are not protected just because you are not using the <referer>-tag!
Solution:
Apply this patch to htmlparse.pike:
--- htmlparse.pike 1999/05/25 11:40:57 1.180
+++ htmlparse.pike 1999/10/05 08:30:18
@@ -2521,7 +2521,7 @@
if(m->help)
return ("Compatibility alias for referrer");
if(id->referer)
- return sizeof(id->referer)?id->referer*"":m->alt?m->alt:"..";
+ return sizeof(id->referer)?({ id->referer*"" }):m->alt?m->alt:"..";
return m->alt?m->alt:"..";
}
cd to the Roxen directory and run: patch server/modules/tags/htmlparse.pike < file_with_patch
Or, disable the RXML-parser in all your Roxen servers. This will also automatically disable the Pike-tag.
