Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 11 Aug 2014 20:38:22 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Cc: CVE Assignments MITRE <>
Subject: CVE Request: Plack::App::File does not prune trailing slashes:
 possible code exposure / information disclosure


Plack 1.0031 contains the following Changes entry[1]:

        - Plack::App::File would previously strip trailing slashes off
          provided paths. This in combination with the common pattern
          of serving files with Plack::Middleware::Static could allow
          an attacker to bypass a whitelist of generated files (avar) #446

See [2,3] for more details about this issue, which might lead to
information disclosure.


Can a CVE be assigned for this isssue (as an example, CVE-2013-7329
was previously also assigned for CGI::Application).


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ