Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 19 Feb 2016 14:40:55 -0500
From: Ignace Mouzannar <mouzannar@...il.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com, 
	Александр Измайлов <yarolig@...il.com>, 
	security@...ian.org
Subject: Re: CVE request: didiwiki path traversal vulnerability

Hi,

Thanks you for your reply.

On Fri, Feb 19, 2016 at 10:49 AM,  <cve-assign@...re.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> https://github.com/OpenedHand/didiwiki/pull/1/files
>> curl http://localhost:8000/api/page/get?page=/etc/passwd
>
> We aren't sure about the need for CVE IDs for this product because it
> doesn't seem to advertise any security properties, e.g.,
>
>   https://github.com/OpenedHand/didiwiki/blob/master/README
>   "Its probably not very secure at all."
>
> We can assign a CVE ID if there is going to be a DSA.

The Debian Security team is planning on publishing a DSA, as this
package is available in the (old)stable version of Debian.

> One concern is that the design may not be intended for environments
> with untrusted clients, and many other issues may be found. Also, we
> aren't sure about the patch:
>
> +   if (!isalnum(page_name[0]))
> +        return FALSE;
> +
> +    if (strstr(page_name, ".."))
> +         return FALSE;
>
> e.g., what about C:\file.txt if it's possible to build this on Windows.

I admit not having looked into Windows (I am the package maintainer on
Debian). For the record, didiwiki has not been packaged for Windows,
and upstream has been MIA for a while now. So I'm not sure it is
usable/used on Windows,

Cheers,
 Ignace M

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ