== fli4l security advisory FFL-1113 (v02) ===================================== Package: httpd Impact: Root Compromise (Existing account for web administration interface) Cross-site Scripting HTTP header injection =============================================================================== 1. Summary: Several vulnerabilities were discovered in the web administration frontend for fli4l contained in the 'httpd' package. These include arbitrary command execution (CVE-2015-1443), XSS vulnerabilities (CVE-2015-1444) and HTTP header injection (CVE-2015-1445). 2. Relevant releases: Fli4l 3.x: All versions Fli4l 4.0: All tarballs up to 2015-01-23 3. Description: The function show_tab_header provided by include/cgi-helper insufficiently sanitized its input. An attacker could use this flaw to execute arbitrary programs on the router as root. The affected scripts included with the httpd package require the attacker to have a valid login for the web administration interface. The script admin/pf.cgi insufficiently sanitized its input. An attacker with at least "support:systeminfo" rights could use this flaw to execute arbitrary programs on the router as root. The script admin/conntrack.cgi insufficiently escaped its output. An attacker could use this flaw to perform a cross-site scripting (XSS) attack against an authenticated user with at least "conntrack:view" rights. The script admin/index.cgi insufficiently escaped its output. An attacker could use this flaw to perform a cross-site scripting (XSS) attack against any authenticated user. The script admin/log_syslog.cgi insufficiently escaped its output. An attacker could use this flaw to perform a cross-site scripting (XSS) attack against an authenticated user with any rights within the "logs" realm. The script admin/problems.cgi insufficiently escaped its output. An attacker could use this flaw to perform a cross-site scripting (XSS) attack against any authenticated user. The script admin/status.cgi insufficiently escaped its output. An attacker could use this flaw to perform a cross-site scripting (XSS) attack against an authenticated user with any rights within the "status" realm. The script admin/status_network.cgi insufficiently escaped its output. An attacker could use this flaw to perform a cross-site scripting (XSS) attack or inject HTTP headers into the response against an authenticated user with at least "status:view" rights. The script admin/status_system.cgi insufficiently escaped its output. An attacker could use this flaw to perform a cross-site scripting (XSS) attack against an authenticated user with at least "status:view" rights. We recommend all users to upgrade to the new package versions. 4. Solution: These issues are fixed in fli4l Version 3.10.1 and tarballs of the development branch 4.0 from 2015-01-30 and later. As a workaround, the web administration interface can be disabled (set OPT_HTTPD='no'). Alternatively, revoke access to the web interface for all untrusted users and only use the incognito mode of your browser to access the web administration interface. 5. Acknowledgments: These issues were discovered by Felix Eckhofer during an internal code audit. 6. Contact: The fli4l security team can be reached using security-team [at] fli4l [dot] de. More information is available on http://www.fli4l.de/en/home/security/ 7. History: 2015-02-01: [v02] CVE-IDs added 2015-01-30: [v01] Public release