Skip to content
Permalink
Browse files Browse the repository at this point in the history
Rolling code for version 2.21
  • Loading branch information
Marc Singer committed Jan 28, 2019
1 parent b7a8072 commit 4f0ecc3
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 0 deletions.
6 changes: 6 additions & 0 deletions debian/changelog
@@ -1,3 +1,9 @@
shellinabox (2.21) unstable; urgency=medium

* Patched DoS vulnerability reported by Imre Rad.

-- Marc Singer <elf@debian.org> Sun, 09 Sep 2018 12:10:40 -0700

shellinabox (2.20) unstable; urgency=medium

* Fixed issue #222, LOGIN service
Expand Down
15 changes: 15 additions & 0 deletions libhttp/url.c
Expand Up @@ -313,6 +313,21 @@ static void urlParsePostBody(struct URL *url,
}
}
}
/* elf-2018.09.09: Detection of broken multipart/form-data
fixes DoS vulnerability.
On 9/9/18 10:43 AM, Imre Rad wrote:
Hi Markus, Marc!
I identified a vulnerability today in Shellinabox, it is
remote a denial of service, shellinaboxd eating up 100% cpu
and not processing subsequent requests after the attack was
mounted.
*/
else {
warn ("[http] Ignorning broken multipart/form-data");
break;
}
}
if (lastPart) {
warn("[http] Missing final \"boundary\" for \"multipart/form-data\"!");
Expand Down

5 comments on commit 4f0ecc3

@TBK
Copy link

@TBK TBK commented on 4f0ecc3 Feb 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to make a release?

@beewoolie
Copy link

@beewoolie beewoolie commented on 4f0ecc3 Feb 13, 2019 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ravermeister
Copy link

@ravermeister ravermeister commented on 4f0ecc3 Jul 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm for me SIAB runs smooth... no problems with ssl, but I'm running it on ARM (behind Apache as Proxy)
(and used my branch version with some merged PR's in it)

@fuqiang03
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

openwrt master
gcc 9.2 musl openssl 1.1.1d
12650 root 4720 S /usr/sbin/shellinaboxd -u root -c /etc/shellinabox --css=/etc/shellinabox/black-on-white.css
12664 root 4684 S /usr/sbin/shellinaboxd -u root -c /etc/shellinabox --css=/etc/shellinabox/black-on-white.css
Mon Dec 16 20:19:16 2019 user.err : Check failed at libhttp/ssl.c:892 in sslSetCertificate(): !ERR_peek_error()
003-add.patch.txt
002-Add.patch.txt

@gregorysuarez
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can I install v.2.21 ? I'm trying to build a deb package, but I only see v.2.20 (no vulnerability fix)

Please sign in to comment.