Bug 130963 (CVE-2005-3123)

Summary:	VUL-0: CVE-2005-3123: gnump3d XSS and directory traversal
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Ludwig Nussel <lnussel>
Component:	Incidents	Assignee:	Thorsten Kukuk <kukuk>
Status:	RESOLVED DUPLICATE	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P5 - None	CC:	security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:	CVE-2005-3123: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	gnump3d-dot-dot.diff gnump3d-xss.diff

Description Ludwig Nussel 2005-10-27 08:52:37 UTC

We received the following report via vendor-sec.
This issue is *not public* yet, please keep any information about it inside SUSE.

   6 remote non-root user
  -1 extra package
  -1 default inactive

Total Score: 4 (Moderate)

Date: Thu, 27 Oct 2005 10:28:11 +0200
From: Martin Schulze <joey@infodrom.org>
To: Free Software Distribution Vendors <vendor-sec@lst.de>
Subject: [vendor-sec] CVE-2005-3122 CVE-2005-3123: GNUMP3d security problems - XSS + directory traversal.

Steve Kemp discovered two vulnerabilities in gnump3d, a streaming
server for MP3 and OGG files.  The Common Vulnerabilities and
Exposures Project identifies the following problems:

CVE-2005-3122

    The 404 error page does not strip malicious javascript content
    from the resulting page, which would be executed in the victims
    browser.

CVE-2005-3123

    By using specially crafting URLs it is possible to read arbitary
    files to which the user of the streaming server has access to.

    Stripping all "../" from the path should be sufficient as well.

This one is not yet public, so we can coordinate if you prefer it.


Patches attached.

----- Forwarded message from Steve Kemp <skx@debian.org> -----


1. XSS Attacks
--------------

  There are two XSS attack vectors in the handling of files.

  When files are not found the requested URI isn't stripped from
 the 404 page, allowing javascript execution via:

	http://host:port/ssssssssss/<script>..</script>

  The second flaw comes from a similar refusal to serve any request ending
 in the string '.password'.  This is an identical vulnerability as the
 request is internally converted into a 404 response regardless of
 whether the file exists or not:

	http://host:port/any/path/<script>...</script>/.password


  Patch attacked 'gnump3d-xss.diff'.



2. Directory Traversal
----------------------

  This is a far more serious flaw, it allows the reading of
 arbitary files which the user the server is running as has access to.
 (gnump3d - by default).

  The flaw comes from the attempt to sanitize input paths, ironically
 to prevent these very attacks.

  The process looks like this:

	Strip ".." from all inputted paths.
	Then strip "//" from all inputted paths.

  This allows the following conversion to happen:

	/.//./
        /../
  
  So with the root set to /home/mp3 the following allows the password
 file to be retrieved:

GET /.//.///.//./etc/passwd HTTP/1.0

  The solution chosen is to :

	1.  Strip ".." from the paths as before.
	2.  But convert "//" to "/" (multiple times if necessary).

  I think that is sufficient, but if I'm mistaken I'd love to be
 educated. 
 
  Patch attached, gnump3d-dot-dot.diff

Steve
--

----- End forwarded message -----

Regards,

	Joey

-- 
A mathematician is a machine for converting coffee into theorems.   Paul Erdös

Comment 1 Ludwig Nussel 2005-10-27 08:53:28 UTC

Created attachment 55670 [details]
gnump3d-dot-dot.diff

Comment 2 Ludwig Nussel 2005-10-27 08:53:51 UTC

Created attachment 55671 [details]
gnump3d-xss.diff

Comment 3 Thorsten Kukuk 2005-10-27 09:07:23 UTC


*** This bug has been marked as a duplicate of 129322 ***

Comment 4 Thomas Biege 2009-10-13 21:45:18 UTC

CVE-2005-3123: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)