Date: Mon, 11 Aug 2014 20:38:22 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: CVE Assignments MITRE <cve-assign@...re.org> Subject: CVE Request: Plack::App::File does not prune trailing slashes: possible code exposure / information disclosure Hi Plack 1.0031 contains the following Changes entry: [SECURITY] - Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files (avar) #446 See [2,3] for more details about this issue, which might lead to information disclosure.  http://api.metacpan.org/source/MIYAGAWA/Plack-1.0031/Changes  https://github.com/plack/Plack/issues/405  https://github.com/plack/Plack/pull/446 Can a CVE be assigned for this isssue (as an example, CVE-2013-7329 was previously also assigned for CGI::Application). Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ