[Chicken-hackers] [CRITICAL] Spiffy path traversal vulnerability

[Mario Domenech Goulart]

Hello,

Benedikt Rosenau discovered a critical security vulnerability
that affects Spiffy, the web server.

It's strongly advised that all Spiffy instances be updated as soon as
possible to version 5.4.  Please not that if you are using awful,
chickadee, pastiche, qwiki, websockets or any other egg that uses Spiffy
as HTTP server, your server is vulnerable as well.

Qwiki and henrietta may also be vulnerable, but to the best of
our knowledge there's no way to exploit the vulnerability so far.
Anyway, they have also been patched to restrict the possible
inputs.  If you are running qwiki and/or henrietta, updating to
versions 1.8 and 1.1 respectively is recommended.

The fix for the vulnerable eggs has just been released.  They are
available at the call-cc.org server.  You can update them with:

  $ chicken-install -l call-cc spiffy
  $ chicken-install -l call-cc qwiki
  $ chicken-install -l call-cc henrietta

Please note that in case of spiffy and qwiki, you may want to
stop the web server before updating it.

The new releases will be soon propagated to the canonical egg
server (~1h).

Description of the issue:

Spiffy assumes that a path component in the file system can never
contain slashes or NULs, which is true in a POSIX setting.  The
strings "." and ".." are also recognised as "special", so any
request to an URI with such path components is immediately
short-circuited to return 404 to ensure only paths BELOW the
document root can be accessed.

Additionally, on Windows, *back*slashes can't occur in path
components, but Spiffy neglected to filter these out.  This means
a path traversal attack has always been possible on that
platform.  Unexpectedly, Spiffy on UNIX is also affected by this.

The unfortunate cause of this is that some CHICKEN core
procedures are misbehaving: when passed a file that starts with a
backslash, some path manipulation procedures incorrectly
*replace* the backslash with a slash.  This has the effect of
injecting a path separator into a path component that was
supposed to be "atomic".  This results in the path component
being reinterpretated as two components.  An attacker can
therefore use backslashes in a URI to bypass Spiffy's pathname
component filtering, even on UNIX.

The issue with the CHICKEN core procedures has been addressed by
edd4926bb4f4c97760a0e03b0d0e8210398fe967 in the git repository, but it
is not in any stable release yet.  Note that Spiffy 5.4 eliminates the
vulnerability without requiring the fix for the CHICKEN core.

We apologize for the inconvenience.

We'd like to thank Benedikt Rosenau for discovering and reporting
the vulnerability.

The CHICKEN Team