Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Nov 2015 17:51:17 +0100
From: Peter Bex <peter@...e-magic.net>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: CVE request for path traversal / info leak bug in Spiffy web server

Hello all,

I would like to request a CVE for a path traversal vulnerability in
Spiffy, the web server written in CHICKEN Scheme.  The bug allows
one to request arbitrary files due to a problem in the handling of
backslashes in URI path components.

In principle, the bug only affects Windows, but unfortunately due
to another bug in CHICKEN core that causes backslashes to be converted
to slashes, *nix platforms are equally affected.

A workaround to simply block all requests containing backslashes in
path components has been implemented in Spiffy 5.4, and a proper
solution (allowing backslashes on UNIX in CHICKEN versions where
it's safe to do so) will be implemented in a later version, pending
the fix in CHICKEN core.

In other words, the bug applies to all versions of Spiffy prior to 5.4.

The original announcement can be found here:
http://lists.gnu.org/archive/html/chicken-announce/2015-11/msg00000.html

Kind regards,
Peter Bex

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ