[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <6a5d47317034484b3746f60913a28e13@tribut.de>
Date: Sat, 31 Jan 2015 23:27:54 +0100
From: Felix Eckhofer <felix@...but.de>
To: oss-security@...ts.openwall.com
Subject: RCE, XSS and HTTP header injection in fli4l web interface
== fli4l security advisory
====================================================
Package: httpd
Impact: Root Compromise (Existing account for web administration
interface)
Cross-site Scripting
===============================================================================
1. Summary:
Several vulnerabilities were discovered in the web administration
frontend for
fli4l contained in the 'httpd' package. These include arbitrary command
execution, XSS vulnerabilities and HTTP header injection.
2. Relevant releases:
Fli4l 3.x: All versions
Fli4l 4.0: All tarballs up to 2015-01-23
3. Description:
The function show_tab_header provided by include/cgi-helper
insufficiently
sanitized its input. An attacker could use this flaw to execute
arbitrary
programs on the router as root. The affected scripts included with the
httpd
package require the attacker to have a valid login for the web
administration
interface.
The script admin/pf.cgi insufficiently sanitized its input. An attacker
with at
least "support:systeminfo" rights could use this flaw to execute
arbitrary
programs on the router as root.
The script admin/conntrack.cgi insufficiently escaped its output. An
attacker
could use this flaw to perform a cross-site scripting (XSS) attack
against an
authenticated user with at least "conntrack:view" rights.
The script admin/index.cgi insufficiently escaped its output. An
attacker could
use this flaw to perform a cross-site scripting (XSS) attack against any
authenticated user.
The script admin/log_syslog.cgi insufficiently escaped its output. An
attacker
could use this flaw to perform a cross-site scripting (XSS) attack
against an
authenticated user with any rights within the "logs" realm.
The script admin/problems.cgi insufficiently escaped its output. An
attacker
could use this flaw to perform a cross-site scripting (XSS) attack
against any
authenticated user.
The script admin/status.cgi insufficiently escaped its output. An
attacker
could use this flaw to perform a cross-site scripting (XSS) attack
against an
authenticated user with any rights within the "status" realm.
The script admin/status_network.cgi insufficiently escaped its output.
An
attacker could use this flaw to perform a cross-site scripting (XSS)
attack
or inject HTTP headers into the response against an authenticated user
with at
least "status:view" rights.
The script admin/status_system.cgi insufficiently escaped its output. An
attacker could use this flaw to perform a cross-site scripting (XSS)
attack
against an authenticated user with at least "status:view" rights.
We recommend all users to upgrade to the new package versions.
4. Solution:
These issues are fixed in fli4l Version 3.10.1 and tarballs of the
development
branch 4.0 from 2015-01-30 and later.
As a workaround, the web administration interface can be disabled (set
OPT_HTTPD='no'). Alternatively, revoke access to the web interface for
all untrusted users and only use the incognito mode of your browser to
access
the web administration interface.
5. Acknowledgments:
These issues were discovered by Felix Eckhofer during an internal code
audit.
6. Contact:
The fli4l security team can be reached using security-team [at] fli4l
[dot] de.
More information is available on http://www.fli4l.de/en/home/security/
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
