Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 31 Jan 2015 23:27:54 +0100
From: Felix Eckhofer <felix@...but.de>
To: oss-security@...ts.openwall.com
Subject: RCE, XSS and HTTP header injection in fli4l web interface

== fli4l security advisory 
====================================================

Package:    httpd
Impact:     Root Compromise (Existing account for web administration 
interface)
             Cross-site Scripting

===============================================================================

1. Summary:

Several vulnerabilities were discovered in the web administration 
frontend for
fli4l contained in the 'httpd' package.  These include arbitrary command
execution, XSS vulnerabilities and HTTP header injection.

2. Relevant releases:

Fli4l 3.x: All versions
Fli4l 4.0: All tarballs up to 2015-01-23

3. Description:

The function show_tab_header provided by include/cgi-helper 
insufficiently
sanitized its input. An attacker could use this flaw to execute 
arbitrary
programs on the router as root. The affected scripts included with the 
httpd
package require the attacker to have a valid login for the web 
administration
interface.

The script admin/pf.cgi insufficiently sanitized its input. An attacker 
with at
least "support:systeminfo" rights could use this flaw to execute 
arbitrary
programs on the router as root.

The script admin/conntrack.cgi insufficiently escaped its output. An 
attacker
could use this flaw to perform a cross-site scripting (XSS) attack 
against an
authenticated user with at least "conntrack:view" rights.

The script admin/index.cgi insufficiently escaped its output. An 
attacker could
use this flaw to perform a cross-site scripting (XSS) attack against any
authenticated user.

The script admin/log_syslog.cgi insufficiently escaped its output. An 
attacker
could use this flaw to perform a cross-site scripting (XSS) attack 
against an
authenticated user with any rights within the "logs" realm.

The script admin/problems.cgi insufficiently escaped its output. An 
attacker
could use this flaw to perform a cross-site scripting (XSS) attack 
against any
authenticated user.

The script admin/status.cgi insufficiently escaped its output. An 
attacker
could use this flaw to perform a cross-site scripting (XSS) attack 
against an
authenticated user with any rights within the "status" realm.

The script admin/status_network.cgi insufficiently escaped its output. 
An
attacker could use this flaw to perform a cross-site scripting (XSS) 
attack
or inject HTTP headers into the response against an authenticated user 
with at
least "status:view" rights.

The script admin/status_system.cgi insufficiently escaped its output. An
attacker could use this flaw to perform a cross-site scripting (XSS) 
attack
against an authenticated user with at least "status:view" rights.

We recommend all users to upgrade to the new package versions.

4. Solution:

These issues are fixed in fli4l Version 3.10.1 and tarballs of the 
development
branch 4.0 from 2015-01-30 and later.

As a workaround, the web administration interface can be disabled (set
OPT_HTTPD='no'). Alternatively, revoke access to the web interface for
all untrusted users and only use the incognito mode of your browser to 
access
the web administration interface.

5. Acknowledgments:

These issues were discovered by Felix Eckhofer during an internal code 
audit.

6. Contact:

The fli4l security team can be reached using security-team [at] fli4l 
[dot] de.
More information is available on http://www.fli4l.de/en/home/security/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ