Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 88537

Summary: www-proxy/junkbuster: configuration can be changed remotely when using single-threading
Product: Gentoo Security Reporter: euclid80
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: net-proxy+disabled, security-audit
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://uregina.ca/~ranson1j/cgi-bin/show_referer.cgi
Whiteboard: B2? [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
patch for referrer bug none

Description euclid80 2005-04-09 19:44:13 UTC 
Regarding junkbuster-2.0.2-r2...

The function ij_untrusted_url() in filters.c clobbers the value of the global variable "referrer", which is set by the config file.  Now, when the "single-threaded" option has NOT been specified in the config file, the bug is harmless because this function is run in a child process.  However, if single-threading is enabled, all successive connections will use the new value of "referrer".

In particular, by sending a request for "http://host/ij-untrusted-url?a?a?x" to the proxy, one can install the value "x" in the referrer variable.


Reproducible: Always
Steps to Reproduce:
1. request http://host/ij-untrusted-url?a?a?x through the proxy.

Actual Results:  
Sets "referrer" global variable.

Expected Results:  
Should use a local variable named "referrer".
Comment 1 euclid80 2005-04-09 19:46:42 UTC 
Created attachment 55828 [details, diff]
patch for referrer bug
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-04-10 07:49:12 UTC 
Can auditors have a look ?
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-10 11:38:21 UTC 
Confirmed. That's an interesting bug, a malicious site could override your referrer setting and allow it to be sent (if you were to enable single-threaded operation, for some reason).

it get's worse, there's some heap corruption happening in there due to the inconsistent use of the strsav() function that looks exploitable (single-threaded or not). looks like there are some other errors as well that need correcting.

Is there any reason to use junkbuster rather than privoxy? maybe we should consider abandoning junkbuster as it looks like upstream is inactive.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-12 00:03:06 UTC 
www-proxy please advise.
Comment 5 Alin Năstac (RETIRED) gentoo-dev 2005-04-12 13:13:11 UTC 
fixed both issues in -r3
I've took the liberty to keep keywords unchanged and erase the old version. the new patch is Obviously Correct, tested on x86 by me and is definitely arch independent.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-12 13:25:18 UTC 
Thx Alin. This one is ready for GLSA.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-13 08:50:52 UTC 
GLSA 200504-11