Fabian Linzberger
2011-Nov-25 15:04 UTC
[Secure-testing-team] Bug#650009: yaws vulnerable to directory traversal using ..\\
Package: yaws Version: 1.91-1 Severity: critical Tags: security upstream sid Hi, A directory traversal vulnerability in yaws has been discovered and disclosed at [1]. At least the version of yaws currently in sid (1.91) is affected. One can reproduce the issue by running: curl ''http://localhost:8080/..\\..\\..\\..\\/etc/passwd'' against a fresh install of the yaws package with default config. This will return a copy of the /etc/passwd file. The default config only binds yaws to the localhost ip, but the vulnerability is the same if you run it on public addresses (as one would in many typical installations, it is a webserver). I was not able to reproduce the issue in the version of the package in squeeze, with the above GET request, but I have not done a thorough investigation. Upstream has promised a fix in the linked bug report, but there is no official patch yet. Fabian [1]: https://github.com/klacke/yaws/issues/69