|
Message-ID: <20140811183822.GA5736@eldamar.local> Date: Mon, 11 Aug 2014 20:38:22 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: CVE Assignments MITRE <cve-assign@...re.org> Subject: CVE Request: Plack::App::File does not prune trailing slashes: possible code exposure / information disclosure Hi Plack 1.0031 contains the following Changes entry[1]: [SECURITY] - Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files (avar) #446 See [2,3] for more details about this issue, which might lead to information disclosure. [1] http://api.metacpan.org/source/MIYAGAWA/Plack-1.0031/Changes [2] https://github.com/plack/Plack/issues/405 [3] https://github.com/plack/Plack/pull/446 Can a CVE be assigned for this isssue (as an example, CVE-2013-7329 was previously also assigned for CGI::Application). Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.