[Secure-testing-team] Bug#650009: yaws vulnerable to directory traversal using ..\\

Fabian Linzberger e at lefant.net
Fri Nov 25 15:04:43 UTC 2011


Package: yaws
Version: 1.91-1
Severity: critical
Tags: security upstream sid

Hi,

A directory traversal vulnerability in yaws has been discovered and
disclosed at [1].

At least the version of yaws currently in sid (1.91) is affected. One
can reproduce the issue by running:

curl 'http://localhost:8080/..\\..\\..\\..\\/etc/passwd'

against a fresh install of the yaws package with default config.

This will return a copy of the /etc/passwd file. The default config
only binds yaws to the localhost ip, but the vulnerability is the same
if you run it on public addresses (as one would in many typical
installations, it is a webserver). 


I was not able to reproduce the issue in the version of the package in
squeeze, with the above GET request, but I have not done a thorough
investigation.


Upstream has promised a fix in the linked bug report, but there is no
official patch yet.



  Fabian


[1]: https://github.com/klacke/yaws/issues/69





More information about the Secure-testing-team mailing list