Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140811183822.GA5736@eldamar.local>
Date: Mon, 11 Aug 2014 20:38:22 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>
Subject: CVE Request: Plack::App::File does not prune trailing slashes:
 possible code exposure / information disclosure

Hi

Plack 1.0031 contains the following Changes entry[1]:

    [SECURITY]
        - Plack::App::File would previously strip trailing slashes off
          provided paths. This in combination with the common pattern
          of serving files with Plack::Middleware::Static could allow
          an attacker to bypass a whitelist of generated files (avar) #446

See [2,3] for more details about this issue, which might lead to
information disclosure.

 [1] http://api.metacpan.org/source/MIYAGAWA/Plack-1.0031/Changes
 [2] https://github.com/plack/Plack/issues/405
 [3] https://github.com/plack/Plack/pull/446

Can a CVE be assigned for this isssue (as an example, CVE-2013-7329
was previously also assigned for CGI::Application).

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.