oss-sec mailing list archives
CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities
From: Matthew Wild <mwild1 () gmail com>
Date: Fri, 8 Jan 2016 15:40:14 +0000
Two vulnerabilities have been discovered and fixed in the Prosody XMPP server. Details below. CVE-2016-1231 prosody: path traversal vulnerability in the built-in HTTP server's file-serving module ------------- Project: Prosody XMPP server URL: https://prosody.im/ Affected versions: 0.9.x (before 0.9.9), 0.10 (unreleased) Affected Prosody modules: mod_http_files (and community modules that depend on it) Fixed versions: 0.9.9, 0.10 nightly build 196, trunk nightly build 608 Description ----------- A flaw was found in Prosody's HTTP file-serving module (mod_http_files) that allows it to serve requests outside of the configured public root directory. This could allow attackers access to private files including sensitive data. Affected configurations ----------------------- The default configuration has mod_http_files disabled, and is not vulnerable. Additionally, configurations where mod_http_files serves files at the root URL (e.g. not /files/ prefix, using http_paths) are not vulnerable. Temporary mitigation -------------------- Disable mod_http_files and any community modules that depend on it. Advice ------ All users should upgrade to 0.9.9, or check their OS distribution for security updates. Users of development branches (0.10, trunk) should upgrade to the latest nightly builds. Credits ------- The flaw was discovered by Kim Alvefur, a member of the Prosody team. ////////////////////////// CVE-2016-1232 prosody: using a weak PRNG to generate the authentication secret used when verifying server-to-server connections using the dialback method. ------------- Project: Prosody XMPP server URL: https://prosody.im/ Affected versions: All Affected Prosody modules: mod_dialback Fixed versions: 0.9.9, 0.10 nightly build 196, trunk nightly build 608 Description ----------- It was discovered that Prosody's generation of the secret token for server-to-server dialback authentication relied upon a weak random number generator that was not cryptographically secure. This allows an attacker to guess at probable values of the secret key. A successful guess allows impersonation of the affected domain to other servers on the network. Affected configurations ----------------------- Configurations with mod_dialback loaded (default configuration) are affected. Servers with s2s_secure_auth = true will not be susceptible to incoming attempts to spoof other domains on the network. However if mod_dialback is loaded, a server's domain's may still be spoofed by an attacker in connections to other servers. Not affected are configurations with a strong custom dialback_secret set (though periodically regenerating the dialback_secret is still advisable). Temporary mitigation -------------------- Set the 'dialback_secret' option in your configuration file to a long random string. A strong dialback_secret can be generated (for example) using the command: head -c 32 /dev/urandom | base64 Alternatively disable mod_dialback by adding it to your modules_disabled option in your configuration file. In this case communication with servers that only support dialback or have untrusted certificates will not be possible. Advice ------ All users should upgrade to 0.9.9, or check their OS distribution for security updates. Users of development branches (0.10, trunk) should upgrade to the latest nightly builds. Credits ------- The flaw was discovered and reported by Thijs Alkemade.
Current thread:
- CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities Matthew Wild (Jan 08)