oss-sec mailing list archives
CVE Request -- yaws -- Directory traversal flaw
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 25 Nov 2011 18:39:18 +0100
Hello Kurt, Steve, vendors, a directory traversal flaw was found in the way yaws, web server for dynamic content written in Erlang, processed certain URLs. A remote, authenticated yaws user could use this flaw to obtain content of arbitrary local file, available to the yaws server user via specially-crafted URL request. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650009 [2] https://github.com/klacke/yaws/issues/69 [3] https://bugzilla.redhat.com/show_bug.cgi?id=757181 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: As of right now, according to [2], there doesn't seem to be an upstream patch for this issue available yet.
Current thread:
- CVE Request -- yaws -- Directory traversal flaw Jan Lieskovsky (Nov 25)
- Re: CVE Request -- yaws -- Directory traversal flaw Rob Keith (Nov 25)
- Re: CVE Request -- yaws -- Directory traversal flaw Kurt Seifried (Nov 25)