© 2000 Roxen Internet Software
Suggestions, Comments or Complaints
Unfortunately, a severe security problem has been discovered in Roxen 2.x. All users are recomended to upgrade
Any file readable by the webserver can be fetched.
Roxen WebServer/Platform 2.0.92 or earlier and Roxen WebServer/Platform 2.1.264 or earlier with any of the following modules are affected:
Roxen Platform servers with the default set of modules should be unaffected since Platform normally uses a special file system module.
Apply a patch which does URL simplification after decoding. Patches for Roxen 2.0 and 2.1 are awailable for download att download.roxen.com. Execute the following in the roxen/server/ directory:
gzip -d -c [diff file] | patch -p0
Roxen 2.2 users are recommended to do a cvs update. It is recommended to upgrade even if the required modules are not loaded. New distributions for Roxen 2.1 will be released shortly.
Problem reported by David Hedbor