Bug#731996: libembperl-perl: Embperl discloses full filesystem path in 404 pages
Eldar Marcussen
wireghoul at gmail.com
Fri Dec 13 02:52:43 UTC 2013
Package: libembperl-perl
Version: 2.5.0~rc3-1~bpo70+1
Severity: important
Tags: upstream
Dear Maintainer,
The Embperl handler discloses the full local file path when displaying 404 page.
Hence any request to a file ending in .epl will reveal the document root
configured for the virtual host
* What was the outcome of this action?
GET localhost/aksndlaksndklajnd.epl | grep /var/www
[1703]ERR: 404: aksndlaksndklajnd.epl(1): Not found '/var/www/aksndlaksndklajnd.epl', searched: No such file or directory
* What outcome did you expect instead?
Not disclosing that the webroot is /var/www, ie: Not found: /aksndlaksndklajnd.epl
-- System Information:
Debian Release: 7.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libembperl-perl depends on:
ii libc6 2.13-38
ii libwww-perl 6.04-1
ii libxml2 2.8.0+dfsg1-7+nmu2
ii libxslt1.1 1.1.26-14.1
ii perl 5.14.2-21+deb7u1
ii perl-base [perlapi-5.14.2] 5.14.2-21+deb7u1
Versions of packages libembperl-perl recommends:
ii apache2-mpm-prefork 2.2.22-13
ii libapache-sessionx-perl 2.01-4
ii libapache2-mod-perl2 2.0.7-3
Versions of packages libembperl-perl suggests:
pn libdbix-recordset-perl <none>
pn libjs-prototype <none>
pn mmm-mode <none>
-- no debconf information
More information about the pkg-perl-maintainers
mailing list