oss-sec mailing list archives
CVE request for path traversal / info leak bug in Spiffy web server
From: Peter Bex <peter () more-magic net>
Date: Tue, 17 Nov 2015 17:51:17 +0100
Hello all, I would like to request a CVE for a path traversal vulnerability in Spiffy, the web server written in CHICKEN Scheme. The bug allows one to request arbitrary files due to a problem in the handling of backslashes in URI path components. In principle, the bug only affects Windows, but unfortunately due to another bug in CHICKEN core that causes backslashes to be converted to slashes, *nix platforms are equally affected. A workaround to simply block all requests containing backslashes in path components has been implemented in Spiffy 5.4, and a proper solution (allowing backslashes on UNIX in CHICKEN versions where it's safe to do so) will be implemented in a later version, pending the fix in CHICKEN core. In other words, the bug applies to all versions of Spiffy prior to 5.4. The original announcement can be found here: http://lists.gnu.org/archive/html/chicken-announce/2015-11/msg00000.html Kind regards, Peter Bex
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request for path traversal / info leak bug in Spiffy web server Peter Bex (Nov 17)
- Re: CVE request for path traversal / info leak bug in Spiffy web server cve-assign (Nov 18)
- Re: CVE request for path traversal / info leak bug in Spiffy web server Peter Bex (Nov 18)
- Re: CVE request for path traversal / info leak bug in Spiffy web server cve-assign (Nov 18)