Date: Fri, 19 Feb 2016 14:40:55 -0500 From: Ignace Mouzannar <mouzannar@...il.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com, Александр Измайлов <yarolig@...il.com>, security@...ian.org Subject: Re: CVE request: didiwiki path traversal vulnerability Hi, Thanks you for your reply. On Fri, Feb 19, 2016 at 10:49 AM, <cve-assign@...re.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > >> https://github.com/OpenedHand/didiwiki/pull/1/files >> curl http://localhost:8000/api/page/get?page=/etc/passwd > > We aren't sure about the need for CVE IDs for this product because it > doesn't seem to advertise any security properties, e.g., > > https://github.com/OpenedHand/didiwiki/blob/master/README > "Its probably not very secure at all." > > We can assign a CVE ID if there is going to be a DSA. The Debian Security team is planning on publishing a DSA, as this package is available in the (old)stable version of Debian. > One concern is that the design may not be intended for environments > with untrusted clients, and many other issues may be found. Also, we > aren't sure about the patch: > > + if (!isalnum(page_name)) > + return FALSE; > + > + if (strstr(page_name, "..")) > + return FALSE; > > e.g., what about C:\file.txt if it's possible to build this on Windows. I admit not having looked into Windows (I am the package maintainer on Debian). For the record, didiwiki has not been packaged for Windows, and upstream has been MIA for a while now. So I'm not sure it is usable/used on Windows, Cheers, Ignace M
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ