Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 19 Feb 2016 10:49:45 -0500 (EST)
From: cve-assign@...re.org
To: mouzannar@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, yarolig@...il.com, security@...ian.org
Subject: Re: CVE request: didiwiki path traversal vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/OpenedHand/didiwiki/pull/1/files
> curl http://localhost:8000/api/page/get?page=/etc/passwd

We aren't sure about the need for CVE IDs for this product because it
doesn't seem to advertise any security properties, e.g.,

  https://github.com/OpenedHand/didiwiki/blob/master/README
  "Its probably not very secure at all."

We can assign a CVE ID if there is going to be a DSA.

One concern is that the design may not be intended for environments
with untrusted clients, and many other issues may be found. Also, we
aren't sure about the patch:

+   if (!isalnum(page_name[0]))
+        return FALSE;
+   
+    if (strstr(page_name, ".."))
+         return FALSE;

e.g., what about C:\file.txt if it's possible to build this on Windows.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWxzknAAoJEL54rhJi8gl57ogQAJA6Xt9qMW2rW+xJRgPptQSu
dImNhpj3wK1MccZge209MPhXQfRnbY7jvm0UjcFLBcbgmp6mXOnqgM0PHte58FYX
80VO1zj22aH5EyG8e1c/S18nKl7yRFhU56xXSYsmSBWU/1azhuTNX6hKhu1/kr0U
PSfkIgXaFhm7j1rj824/dBtTMVXa/nA4c/wDKTjkGkWld1l4V/7ZraaUiu28OZat
s/oiZcgG2cDHKhsh+fJ8tVin6wQE7+ydTJeVUQLrJqemD1Wnghthin5LDqnK77tP
Cq3R15bQjunn7dHz56BIE68aFhQoAjunv1GlHS5im5W3u3dRi4r9aRDQNiNO7WZL
NV0vflWiMmyNqNExOk9y3VOuTGBQ/BpbkW/YAMwyvzjRoMesuAE2fv6QdHXEs0j+
q7B4NiWmAcUPstyZpBoqq7iZm5c7OBaWmujs5k1jxOuRzsGfjY4pKUpc+4R1ydKm
+brG4jZa4rdBZbE9OB1fURVkgH4GqgOSGVdiPys/GbPk02YvUHQn28qg22b6aS+4
u8Xx5O2cTyzLyQIzVmqUUAS6CSmFFM5KiTZTTzW2W1tCzXwjnx3cQTPPH0IlSaR0
pPctHFMCXX2ghOikyNA4mrZuxUDCGYQHILD2QBOsEgBz8mr+eadz9DXh6zpaffp1
NRFKU2HYn0DCATgFJCdv
=GYQp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ