[Pkg-erlang-devel] Bug#603748: Bug#603748: CVE-2010-4181

Sergei Golovan sgolovan at nes.ru
Wed Nov 17 06:11:19 UTC 2010


On Wed, Nov 17, 2010 at 1:06 AM, Moritz Muehlenhoff <jmm at debian.org> wrote:
>
> The following vulnerability has been reported in YAWS:
>
> | Directory traversal vulnerability in Yaws 1.89 allows remote attackers
> | to read arbitrary files via ..\ (dot dot backslash) and other
> | sequences.
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4181

It seems like this vulnerability is specific for MS Windows. I can't
reproduce it
on Linux where backslash isn't a directory delimiter (though I've tied only 1.88
yet, so may be 1.89 is still vulnerable, I'll check it).

>
> This seems unfixed/unnoticed upstream AFAICT. Please get in touch with
> upstream.

OK.

-- 
Sergei Golovan





More information about the Pkg-erlang-devel mailing list