oss-sec mailing list archives

CVE Request: Plack::App::File does not prune trailing slashes: possible code exposure / information disclosure

From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 11 Aug 2014 20:38:22 +0200

Hi

Plack 1.0031 contains the following Changes entry[1]:

    [SECURITY]
        - Plack::App::File would previously strip trailing slashes off
          provided paths. This in combination with the common pattern
          of serving files with Plack::Middleware::Static could allow
          an attacker to bypass a whitelist of generated files (avar) #446

See [2,3] for more details about this issue, which might lead to
information disclosure.

 [1] http://api.metacpan.org/source/MIYAGAWA/Plack-1.0031/Changes
 [2] https://github.com/plack/Plack/issues/405
 [3] https://github.com/plack/Plack/pull/446

Can a CVE be assigned for this isssue (as an example, CVE-2013-7329
was previously also assigned for CGI::Application).

Regards,
Salvatore

Current thread:

CVE Request: Plack::App::File does not prune trailing slashes: possible code exposure / information disclosure Salvatore Bonaccorso (Aug 11)
- Re: CVE Request: Plack::App::File does not prune trailing slashes: possible code exposure / information disclosure cve-assign (Aug 15)