Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE requests / advisory: cxxtools <= 2.2, Tntnet <= 2.2
From: Matthew Daley <mattd () bugfuzz com>
Date: Sat, 18 Jan 2014 22:52:08 +1300

On Sat, Jan 18, 2014 at 10:46 PM, Henri Salo <henri () nerv fi> wrote:
On Sat, Jan 18, 2014 at 02:43:23PM +1300, Matthew Daley wrote:

I'd like to request CVE IDs for these 2 issues. They were found in
software from the Tntnet Project (www.tntnet.org), which develop
Tntnet, an open-source web server for C++ web applications.

This is the first such request and the issues are (now) public; this
message serves as an advisory as well.

* Issue #1

Affected software: cxxtools
Description: By sending a crafted HTTP query parameter containing two
percent signs in a row, URL parsing would enter an infinite recursive
loop, leading to a crash. This allows a remote attacker to DOS the
Affected versions: current releases (<= 2.2)
Fixed in version: 2.2.1
Fix: https://github.com/maekitalo/cxxtools/commit/142bb2589dc184709857c08c1e10570947c444e3
Release notes: http://www.tntnet.org/download/cxxtools-2.2.1/Releasenotes-2.2.1.markdown
Reported by: Julian Wiesener

* Issue #2

Affected software: Tntnet
Description: By sending a crafted HTTP request that uses "\n" to end
its headers instead of the expected "\r\n", it is possible that
headers from a previous unrelated request will seemingly be appended
to the crafted request (due to a missing null termination). This
allows a remote attacker to use sensitive headers from other users'
requests in their own requests, such as cookies or HTTP authentication
Affected versions: current releases  (<= 2.2)
Fixed in version: 2.2.1
Fix: https://github.com/maekitalo/tntnet/commit/9bd3b14042e12d84f39ea9f55731705ba516f525
and https://github.com/maekitalo/tntnet/commit/9d1a859e28b78bfbf769689454b529ac7709dee4
Release notes: http://www.tntnet.org/download/tntnet-2.2.1/Releasenotes-2.2.1.markdown
Reported by: Matthew Daley

Please let me know if you need any further information.


- Matthew Daley

Just a small note for assigner. These were fixed last year so should get 2013
CVE IDs if I'm correct.

Sorry, I forgot to mention that. Yes, they were both reported and
fixed (in master, at least) in 2013.

- Matthew

Henri Salo

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]