Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 88537 - www-proxy/junkbuster: configuration can be changed remotely when using single-threading
Summary: www-proxy/junkbuster: configuration can be changed remotely when using single...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2? [glsa] jaervosz
Depends on:
Reported: 2005-04-09 19:44 UTC by euclid80
Modified: 2005-04-13 08:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

patch for referrer bug (diff,442 bytes, patch)
2005-04-09 19:46 UTC, euclid80
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description euclid80 2005-04-09 19:44:13 UTC
Regarding junkbuster-2.0.2-r2...

The function ij_untrusted_url() in filters.c clobbers the value of the global variable "referrer", which is set by the config file.  Now, when the "single-threaded" option has NOT been specified in the config file, the bug is harmless because this function is run in a child process.  However, if single-threading is enabled, all successive connections will use the new value of "referrer".

In particular, by sending a request for "http://host/ij-untrusted-url?a?a?x" to the proxy, one can install the value "x" in the referrer variable.

Reproducible: Always
Steps to Reproduce:
1. request http://host/ij-untrusted-url?a?a?x through the proxy.

Actual Results:  
Sets "referrer" global variable.

Expected Results:  
Should use a local variable named "referrer".
Comment 1 euclid80 2005-04-09 19:46:42 UTC
Created attachment 55828 [details, diff]
patch for referrer bug
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-04-10 07:49:12 UTC
Can auditors have a look ?
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-10 11:38:21 UTC
Confirmed. That's an interesting bug, a malicious site could override your referrer setting and allow it to be sent (if you were to enable single-threaded operation, for some reason).

it get's worse, there's some heap corruption happening in there due to the inconsistent use of the strsav() function that looks exploitable (single-threaded or not). looks like there are some other errors as well that need correcting.

Is there any reason to use junkbuster rather than privoxy? maybe we should consider abandoning junkbuster as it looks like upstream is inactive.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-12 00:03:06 UTC
www-proxy please advise.
Comment 5 Alin Năstac (RETIRED) gentoo-dev 2005-04-12 13:13:11 UTC
fixed both issues in -r3
I've took the liberty to keep keywords unchanged and erase the old version. the new patch is Obviously Correct, tested on x86 by me and is definitely arch independent.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-12 13:25:18 UTC
Thx Alin. This one is ready for GLSA.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-13 08:50:52 UTC
GLSA 200504-11