Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Roxen security alert: Problems with URLs containing null characters.
From: Peter Bortas (peterIDONEX.SE)
Date: Fri Jul 21 2000 - 20:53:34 CDT

Roxen 2.0 up to version 2.0.68 has a vulnerability where using URLs
containing null characters can gain the browser access to information
he is not authorized to:

  * Directory listings in directories with index files
  * In normal filesystems: the sourcecode for RXML files, Pike
    scripts, CGIs etc.
  * information protected by .htaccess files might be revealed under
    special circumstances

Systems Affected

  All Roxen 2.0 releases before 2.0.69. We have been unable to
  reproduce the problem with Roxen 1.3, but this is not fully analyzed
  yet, so it is suggested that a patch is applied as a precaution.

  Roxen SiteBuilder is ONLY affected by the directory listing


  An update package labeled 'Fix for "%00" vulnerability' is available
  from the Roxen 2.0 update server. Use the administration interface
  to download and install this fix. Note that the server needs to be
  restarted when the fix is installed.

  A patch for Roxen 1.3.122 (the latest 1.3 release) is a available as
  and should be applied to server/protocols/http.pike.

  The Roxen 2.0 upgrade package is also available as a patch if the
  update server can not be used for some reason:


  Problem originally reported by <zorgonsdf.lonestar.org>
  Further comments on the problem by Elias Levy <aleph1underground.org>

Peter Bortas                   http://peter.bortas.org
Roxen IS                       http://www.roxen.com