community.roxen.com  
main | demo | docs
download | community | pike

2000 Roxen Internet Software

Suggestions, Comments or Complaints
download@roxen.com
 
Download Roxen WebServer 2.0


Security Notice

Unfortunately, a severe security problem has been discovered in Roxen 2.x. All users are recomended to upgrade

Exploit description

Any file readable by the webserver can be fetched.

Affected systems

Roxen WebServer/Platform 2.0.92 or earlier and Roxen WebServer/Platform 2.1.264 or earlier with any of the following modules are affected:

  • Normal File system
  • Restricted file system
  • User file system
  • Frontpage Script support
  • CGI scripting support
  • Fast CGI support
  • Plain filesystem

Roxen Platform servers with the default set of modules should be unaffected since Platform normally uses a special file system module.

Solution

Apply a patch which does URL simplification after decoding. Patches for Roxen 2.0 and 2.1 are awailable for download att download.roxen.com. Execute the following in the roxen/server/ directory:

gzip -d -c [diff file] | patch -p0

Roxen 2.2 users are recommended to do a cvs update. It is recommended to upgrade even if the required modules are not loaded. New distributions for Roxen 2.1 will be released shortly.

Credits

Problem reported by David Hedbor



Roxen Internet Software