oss-sec mailing list archives
HTTP::Body before 1.23 for Perl is still vulnerable to CVE-2013-4407
From: Stig Palmquist <stig () stig io>
Date: Sun, 07 Apr 2024 12:47:55 +0000
HTTP::Body after 1.07 and before 1.23 for Perl handles multipart file uploads as temporary files while retaining file extensions. An attacker can provide crafted filenames containing for example shell metacharacters, affecting programs that expect these temporary filenames to be well formed. Version 1.23 of HTTP::Body has been fixed upstream to set a static ".upload" extension, overriding user provided extensions by default. Users are recommended to update to version 1.23 or later. NOTE: Currently, the CVE description incorrectly indicate that this was fixed in versions after 1.17. Version 1.18 provided: - A global variable to set the regex used to validate extensions - A code comment containing a stricter regex - No change to the default behavior Debian and other distributions are carrying a patch for CVE-2013-4407 including the stricter regex for versions before 1.23. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4407 https://metacpan.org/release/GETTY/HTTP-Body-1.23/view/lib/HTTP/Body.pm#NOTES https://metacpan.org/release/GETTY/HTTP-Body-1.18/source/lib/HTTP/Body/MultiPart.pm#L262 https://salsa.debian.org/perl-team/modules/packages/libhttp-body-perl/-/blob/8645c1b4b6a39f6d82b7a05869d567ae4e8f0e24/debian/patches/CVE-2013-4407.patch
Current thread:
- HTTP::Body before 1.23 for Perl is still vulnerable to CVE-2013-4407 Stig Palmquist (Apr 07)