Vulnerabilities

Some older versions of Ferron may contain security vulnerabilities. It’s recommended to keep Ferron up-to-date.

Fixed in Ferron 2.7.0 and Ferron 2.6.2 LTS

An attacker could send a large enough PROXY v2 header to crash the web server, if the PROXY protocol is enabled. This was caused by an out-of-bounds memory access attempt. (CWE-119; introduced in Ferron 2.0.0-beta.10)
An attacker could perform a path traversal vulnerability, if URL sanitizer was disabled and path canonicalization failed. (CWE-22; introduced in Ferron 2.3.0)
An attacker could sent a request with a “Proxy” header to a web server (with CGI, FastCGI or SCGI enabled) to perform an “httpoxy” attack (CWE-20)

An attacker could send a lot of concurrent requests that have a header defining accepted compression algorithm to be Brotli (for example using ferrbench -c 20000 -d 1h -t 12 -H "Cache-Control: no-cache" -H "Accept-Encoding: br" -h https://victim.example --http2 command) to cause the server to consume too much memory. (CWE-400)

An attacker could request a resource with a URL that would be replaced with a sanitized one, to possibly bypass security restrictions, if they’re configured in location configurations. (CWE-20; introduced in Ferron 1.0.0-beta2)

An attacker could connect to the server acting as a reverse proxy via HTTP/3 to cause a Rust panic in the server, and in effect crash the server. (CWE-248; fauth module; introduced in Ferron 1.1.0)
An attacker could connect to the server acting as a reverse proxy via HTTP/3 to cause a Rust panic in the server, and in effect crash the server. (CWE-248; rproxy module; introduced in Ferron 1.1.0)

An attacker could connect to the server that handles request bodies via HTTP/3 and send a request body to make the server stop accepting HTTP requests due to the server entering an infinite loop after the client finished sending the request body. (CWE-835; introduced in Ferron 1.1.0)

An attacker could send a lot of concurrent requests that have a header defining accepted compression algorithm to be Brotli (for example using ferrbench -c 100 -d 1h -t 12 -H "Accept-Encoding: br" -h https://victim.example --http2 command) to make the server stop accepting HTTP requests, due to inefficient compression process. (CWE-400).

An attacker could send a request body smaller than the specified length, wait for a long time, and repeat with many connections to possibly exhaust the server resources. This is because the server doesn’t implement server timeouts. (CWE-400)

An attacker could send a partial request body to the server, and then other parts of partial request body to possibly exhaust the server resources. This is because the server only sends first part of request body into web application. (CWE-770; cgi module; introduced in Project Karpacz 0.6.0).
An attacker could send a partial request body to the server, and then other parts of partial request body to possibly exhaust the server resources. This is because the server only sends first part of request body into web application. (CWE-770; fcgi module; introduced in Project Karpacz 0.6.0).
An attacker could send a partial request body to the server, and then other parts of partial request body to possibly exhaust the server resources. This is because the server only sends first part of request body into web application. (CWE-770; scgi module; introduced in Project Karpacz 0.6.0).

An attacker could add double slashes to the request URL before “cgi-bin” to bypass the CGI handler and possibly leak the CGI scripts’ source code. (CWE-22; cgi module; introduced in Project Karpacz 0.5.0).

An attacker could send a lot of concurrent requests (100 concurrent requests is enough) to make the server stop accepting HTTP requests. (CWE-410; rproxy module; introduced in Project Karpacz 0.2.0).