Cherokee Web Server 0.4.27 to 1.2.104 have a NULL pointer dereference which leads to a denial of service.
Any server that has HTTP authentication (either basic or digest) enabled and paths that respond with the WWW-Authenticate header, can be crashed by an unauthenticated and remote attacker by sending a malformed Authorization header to such paths.
The following commands are used to generate HTTP requests that trigger the vulnerability
cherokee_validator_parse_digest and cherokee_validator_parse_basic do not have any checks on the return value from cherokee_buffer_add and will later dereference an uninitialized pointer (read and write), at validator.c:180
The buffer here you mention here is statically initialized by CHEROKEE_BUF_INIT. The return value check would also in case of unallocatable size not be the solution. On more places in the code the return value of these calls are not checked and has been observed as "not an issue" by the original developer. The actual issue is here that it is assumed that auth.len > 0. The fix guards both downstream and upstream function, so empty input should be prevented now.
Cherokee Web Server 0.4.27 to 1.2.104 have a NULL pointer dereference which leads to a denial of service.
Any server that has HTTP authentication (either basic or digest) enabled and paths that respond with the WWW-Authenticate header, can be crashed by an unauthenticated and remote attacker by sending a malformed Authorization header to such paths.
The following commands are used to generate HTTP requests that trigger the vulnerability
cherokee_buffer_adddoes not allocate memory if the the size of the input string is less or equal to zero and returnret_oknonetheless.cherokee_validator_parse_digestandcherokee_validator_parse_basicdo not have any checks on the return value fromcherokee_buffer_addand will later dereference an uninitialized pointer (read and write), atvalidator.c:180and in a call to
cherokee_buffer_decode_base64(illegal write atbuffer.c:1681) respectivelyThe text was updated successfully, but these errors were encountered: