Date: Wed, 18 Jul 2018 08:30:18 +0100 From: Alexey Sokolov <alexey+znc@...kolov.org> To: oss-security@...ts.openwall.com Subject: CVE-2018-14056: path traversal in ZNC Severity: medium Versions affected: 0.045 through 1.7.0 Mitigation: upgrade to 1.7.1, or disable HTTP via `/msg *status AddPort`, `/msg *status DelPort` commands. Description: ZNC before 1.7.1-rc1 is prone to a path traversal flaw. A non-admin user can set web skin name to ../ to access files outside of the intended skins directories and to cause DoS. Upstream patch: https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773 Reported by: Jeriko One <jeriko.one@....us> -- Best regards, Alexey "DarthGandalf" Sokolov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.