New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-14149 #255

Closed
mobrien opened this Issue Sep 15, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@mobrien

mobrien commented Sep 15, 2017

Overview

A security vulnerability affecting GoAhead versions GoAhead 3.X with specially crafted upload requests has been identified. This bulletin discusses this flaw and its implications.

This issue is identified by CVE-2017-14149

Summary

A HTTP POST request with specially crafted, invalid upload fields may cause a NULL dereferences and thus cause a denial of service.

Description

If the required "name" field of a file upload request is omitted, the upload handler may encounter a NULL dereference.

Threat Scope

Versions 3.X. Fixed in 4.0 (which is API compatible with 3.X).

Severity

Medium. An attacker could cause a denial of service.

Remedy

Apply the quick patch below to GoAhead 3.X. Alternatively, upgrade to GoAhead 4 when it is released. GoAhead 4.0 is highly compatible with GoAhead 3.6 and upgrading should be straightforward.

Quick Patch

For GoAhead 3.X users, here is a quick patch:

diff --git a/src/upload.c b/src/upload.c
index 3bbc2e1..d526492 100644
--- a/src/upload.c
+++ b/src/upload.c
@@ -373,7 +373,7 @@ static bool processContentData(Webs *wp)
             hashEnter(wp->files, wp->uploadVar, valueSymbol(file), 0);
             defineUploadVars(wp);

-        } else {
+        } else if (wp->uploadVar) {

A related patch should also be applied:

diff --git a/src/upload.c b/src/upload.c
index f791947..acd6109 100644
--- a/src/upload.c
+++ b/src/upload.c
@@ -124,10 +124,11 @@ PUBLIC bool websProcessUploadData(Webs *wp)
             }
             *nextTok++ = '\0';
             nbytes = nextTok - line;
             websConsumeInput(wp, nbytes);
             strim(line, "\r", WEBS_TRIM_END);
             len = strlen(line);
-            if (line[len - 1] == '\r') {
+            if (len > 0 && line[len - 1] == '\r') {
                 line[len - 1] = '\0';
             }
         }

Please contact Embedthis if you require further information, test code or assistance at dev@embedthis.com.

References

@mobrien mobrien added this to the 4.0.0 milestone Sep 15, 2017

@mobrien mobrien closed this Sep 15, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment