ANTI-WEB HTTPD OFFICIAL SECURITY ADVISORY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is Doug Hoyte, head programmer of the Anti-Web HTTPD project. A recent advisory put out by methodic from AngryPacket has officially confirmed to be valid, however DO NOT INSTALL THE PATCH ACCOMPANYING THAT ADVISORY! It opens up a format string vulnerability in the code, and there may be some stability issues involved also. In discussion about this vulnerability with 3APA3A <3APA3A@SECURITY.NNOV.RU> and methodic, a few other problems were unearthed. DESCRIPTION OF PROBLEMS ~~~~~~~~~~~~~~~~~~~~~~~ -A local DoS attack that can be carried out if the attacker has write access to an Anti-Web HTML tree. This is most common when each user has personal webspace on a server. See methodic's advisory for more details. -Another local DoS attack I discovered while investigating methodic's attack: Removing the F: from an AW script altogether can cause AW to escalate CPU usage. Again, the attacker needs write access in an AW HTML tree. -A potential heap overflow in the loading of the script code, which could result in a shell with UID/GID 32767 (by default). Again, the attacker would have to have write access in an AW HTML tree. -A syslog() format string vulnerability. Fortunatley, this is not exploitable in any official versions of Anti-Web, but might've posed problems in the event of future code additions. FIXES ~~~~~ Download the new, patched version here: http://hardcoresoftware.cjb.net/awhttpd/awhttpd-2.2.1.tgz CHANGELOG is here: http://hardcoresoftware.cjb.net/awhttpd/changes.txt Alternatively, as mentioned by methodic, you could simply uncomment the "#define NOSCRIPT" line in config.h. Note: In the new version, you would want to comment out "#define SCRIPTING". Scripting is disabled by default in newer versions now. I should also add that this new version HASN'T been confirmed stable. It's holding up alright for me, but there are dangling functions, and the new SunOS port is still in beta. WHO SHOULD GET THE NEW VERSION ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you're a sysadmin who is giving users personal webspace in an Anti-Web HTML tree, INSTALL THIS VERSION NOW! If you're running a small, personal webserver with you as the only user, this version won't add much in terms of security, so you may as well wait for 2.3 to come out, or uncomment NOSCRIPT. If you've extended the code yourself, and taken advantage of the logthis() function, your new code may be vulnerable, UPDATE NOW! COMMENT ~~~~~~~ Having recently experienced a "GOBBLES" advisory, I was a bit skeptical about this advisory at first, but methodic did an excellent research job here. He also acted very courteosly in notifying me, the head programmer. 3APA3A was also very helpful, unearthing other problems with the code. I'd also like to point out how well this issue illustrates the difficulty in writing completely bug free code. Even a patch designed to close up a security hole can end up opening another one. The job of a programmer is certainly no cakewalk. CREDITS ~~~~~~~ methodic and 3APA3A for uncovering these vulnerabilities. Doug Hoyte HardCore SoftWare