Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 31 Jan 2015 23:27:54 +0100
From: Felix Eckhofer <felix@...but.de>
To: oss-security@...ts.openwall.com
Subject: RCE, XSS and HTTP header injection in fli4l web interface

== fli4l security advisory 
====================================================

Package:    httpd
Impact:     Root Compromise (Existing account for web administration 
interface)
             Cross-site Scripting

===============================================================================

1. Summary:

Several vulnerabilities were discovered in the web administration 
frontend for
fli4l contained in the 'httpd' package.  These include arbitrary command
execution, XSS vulnerabilities and HTTP header injection.

2. Relevant releases:

Fli4l 3.x: All versions
Fli4l 4.0: All tarballs up to 2015-01-23

3. Description:

The function show_tab_header provided by include/cgi-helper 
insufficiently
sanitized its input. An attacker could use this flaw to execute 
arbitrary
programs on the router as root. The affected scripts included with the 
httpd
package require the attacker to have a valid login for the web 
administration
interface.

The script admin/pf.cgi insufficiently sanitized its input. An attacker 
with at
least "support:systeminfo" rights could use this flaw to execute 
arbitrary
programs on the router as root.

The script admin/conntrack.cgi insufficiently escaped its output. An 
attacker
could use this flaw to perform a cross-site scripting (XSS) attack 
against an
authenticated user with at least "conntrack:view" rights.

The script admin/index.cgi insufficiently escaped its output. An 
attacker could
use this flaw to perform a cross-site scripting (XSS) attack against any
authenticated user.

The script admin/log_syslog.cgi insufficiently escaped its output. An 
attacker
could use this flaw to perform a cross-site scripting (XSS) attack 
against an
authenticated user with any rights within the "logs" realm.

The script admin/problems.cgi insufficiently escaped its output. An 
attacker
could use this flaw to perform a cross-site scripting (XSS) attack 
against any
authenticated user.

The script admin/status.cgi insufficiently escaped its output. An 
attacker
could use this flaw to perform a cross-site scripting (XSS) attack 
against an
authenticated user with any rights within the "status" realm.

The script admin/status_network.cgi insufficiently escaped its output. 
An
attacker could use this flaw to perform a cross-site scripting (XSS) 
attack
or inject HTTP headers into the response against an authenticated user 
with at
least "status:view" rights.

The script admin/status_system.cgi insufficiently escaped its output. An
attacker could use this flaw to perform a cross-site scripting (XSS) 
attack
against an authenticated user with at least "status:view" rights.

We recommend all users to upgrade to the new package versions.

4. Solution:

These issues are fixed in fli4l Version 3.10.1 and tarballs of the 
development
branch 4.0 from 2015-01-30 and later.

As a workaround, the web administration interface can be disabled (set
OPT_HTTPD='no'). Alternatively, revoke access to the web interface for
all untrusted users and only use the incognito mode of your browser to 
access
the web administration interface.

5. Acknowledgments:

These issues were discovered by Felix Eckhofer during an internal code 
audit.

6. Contact:

The fli4l security team can be reached using security-team [at] fli4l 
[dot] de.
More information is available on http://www.fli4l.de/en/home/security/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.