Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 19 Feb 2016 14:40:55 -0500
From: Ignace Mouzannar <>
	Александр Измайлов <>,
Subject: Re: CVE request: didiwiki path traversal vulnerability


Thanks you for your reply.

On Fri, Feb 19, 2016 at 10:49 AM,  <> wrote:
> Hash: SHA256
>> curl http://localhost:8000/api/page/get?page=/etc/passwd
> We aren't sure about the need for CVE IDs for this product because it
> doesn't seem to advertise any security properties, e.g.,
>   "Its probably not very secure at all."
> We can assign a CVE ID if there is going to be a DSA.

The Debian Security team is planning on publishing a DSA, as this
package is available in the (old)stable version of Debian.

> One concern is that the design may not be intended for environments
> with untrusted clients, and many other issues may be found. Also, we
> aren't sure about the patch:
> +   if (!isalnum(page_name[0]))
> +        return FALSE;
> +
> +    if (strstr(page_name, ".."))
> +         return FALSE;
> e.g., what about C:\file.txt if it's possible to build this on Windows.

I admit not having looked into Windows (I am the package maintainer on
Debian). For the record, didiwiki has not been packaged for Windows,
and upstream has been MIA for a while now. So I'm not sure it is
usable/used on Windows,

 Ignace M

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ