oss-sec mailing list archives

Re: CVE Request -- yaws -- Directory traversal flaw

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 25 Nov 2011 13:24:37 -0700

On 11/25/2011 10:39 AM, Jan Lieskovsky wrote:

Hello Kurt, Steve, vendors,

  a directory traversal flaw was found in the way yaws, web server
for dynamic content written in Erlang, processed certain URLs. A
remote, authenticated yaws user could use this flaw to obtain content
of arbitrary local file, available to the yaws server user via
specially-crafted URL request.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650009
[2] https://github.com/klacke/yaws/issues/69
[3] https://bugzilla.redhat.com/show_bug.cgi?id=757181

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
-- 
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: As of right now, according to [2], there doesn't seem
      to be an upstream patch for this issue available yet.


Please use CVE-2011-4350 for this issue

Hey,
This looks a lot like CVE-2010-4181, just a later version of yaws.

Thoughts?

-Rob


Yes, however this is a different version so new a CVE is warranted, had
these been released at the same time then they would have been merged
according to ADT4.


-- 

-Kurt Seifried / Red Hat Security Response Team

Current thread:

CVE Request -- yaws -- Directory traversal flaw Jan Lieskovsky (Nov 25)
- Re: CVE Request -- yaws -- Directory traversal flaw Rob Keith (Nov 25)
- Re: CVE Request -- yaws -- Directory traversal flaw Kurt Seifried (Nov 25)