Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5522895F.7000209@gmail.com>
Date: Mon, 06 Apr 2015 15:25:51 +0200
From: Gsunde Orangen <gsunde.orangen@...il.com>
To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org, 
 bugtraq@...urityfocus.com
Subject: Re: Advisory: CVE-2014-9708: Appweb Web Server

Thanks, Matthew, for having spotted this.
As only current versions of Appweb (4 & 5) have been addressed so far,
but legacy versions (see http://embedthis.com/appweb/download.html) were
not mentioned yet in https://github.com/embedthis/appweb/issues/413 :

- Appweb V3: vulnerable, too
-- Source code audit on Appweb 3.4.2:
The vulnerable code is not in the parseRange() function in
paks/http/httpLib.c, but similarly in http/request.c
-- Verified as vulnerable using a device with Appweb 3.4.1

- Appweb V2: not vulnerable
-- Source code audit on Appweb 2.4.4:
V2 was writtein in C++ (not C), the Range parser is in request.cpp and
handles invalid ranges correctly
-- Verified as not vulnerable using a device with Appweb 2.3.1

Gsunde


On 2015-03-28, 03:40 Matthew Daley wrote:
> Affected software: Appweb Web Server
> CVE ID: CVE-2014-9708
> 
> Description: An HTTP request with a Range header of the form "Range:
> x=," (ie. with an empty range value) will cause a null pointer
> dereference, leading to a remotely-triggerable DoS.
> 
> Fixed versions: 4.6.6, 5.2.1
> Bug entry: https://github.com/embedthis/appweb/issues/413
> Fix: https://github.com/embedthis/appweb/commit/7e6a925f5e86a19a7934a94bbd6959101d0b84eb#diff-7ca4d62c70220e0e226e7beac90c95d9L17348
> Reported by: Matthew Daley
> 
> - Matthew Daley
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.