Date: Thu, 11 Apr 2013 15:12:51 +0200 From: Evert Pot <evert@...ftopsolutions.nl> To: oss-security@...ts.openwall.com Subject: SabreDAV security advisory (CVE-2013-1939) # Local file exposure issue Web: https://groups.google.com/forum/?fromgroups=#!topic/sabredav-discuss/ehOUu7wTSGQ ## CVE IDENTIFIERS - CVE-2013-1939 ## AFFECTED SOFTWARE - SabreDAV < 1.6.8, < 1.7.6, < 1.8.4 running in Windows hosts. ## DESCRIPTION It was possible for authenticated users on to read any file on the local filesystem, accessible by the webserver. Thanks to Lukas Reschke for reporting this issue. ## RESOLUTION Update to SabreDAV 1.6.9, 1.7.7 or 1.8.5 or turn off the 'Browser plugin'. Zipballs: http://code.google.com/p/sabredav/downloads/list Or with composer: composer update sabre/dav Regards, Evert Pot
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ