Date: Tue, 17 Nov 2015 17:51:17 +0100 From: Peter Bex <peter@...e-magic.net> To: Open Source Security <oss-security@...ts.openwall.com> Subject: CVE request for path traversal / info leak bug in Spiffy web server Hello all, I would like to request a CVE for a path traversal vulnerability in Spiffy, the web server written in CHICKEN Scheme. The bug allows one to request arbitrary files due to a problem in the handling of backslashes in URI path components. In principle, the bug only affects Windows, but unfortunately due to another bug in CHICKEN core that causes backslashes to be converted to slashes, *nix platforms are equally affected. A workaround to simply block all requests containing backslashes in path components has been implemented in Spiffy 5.4, and a proper solution (allowing backslashes on UNIX in CHICKEN versions where it's safe to do so) will be implemented in a later version, pending the fix in CHICKEN core. In other words, the bug applies to all versions of Spiffy prior to 5.4. The original announcement can be found here: http://lists.gnu.org/archive/html/chicken-announce/2015-11/msg00000.html Kind regards, Peter Bex Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ