Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Nov 2015 17:51:17 +0100
From: Peter Bex <>
To: Open Source Security <>
Subject: CVE request for path traversal / info leak bug in Spiffy web server

Hello all,

I would like to request a CVE for a path traversal vulnerability in
Spiffy, the web server written in CHICKEN Scheme.  The bug allows
one to request arbitrary files due to a problem in the handling of
backslashes in URI path components.

In principle, the bug only affects Windows, but unfortunately due
to another bug in CHICKEN core that causes backslashes to be converted
to slashes, *nix platforms are equally affected.

A workaround to simply block all requests containing backslashes in
path components has been implemented in Spiffy 5.4, and a proper
solution (allowing backslashes on UNIX in CHICKEN versions where
it's safe to do so) will be implemented in a later version, pending
the fix in CHICKEN core.

In other words, the bug applies to all versions of Spiffy prior to 5.4.

The original announcement can be found here:

Kind regards,
Peter Bex

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.