security upgrade for Yaws

Claes Wikstrom <>
Thu Jun 16 14:35:58 CEST 2005

A security bug was found in Yaws by SEC-Consult Unternehmensberatung
GmbH while they were doing security assements on the Nortel SSL-VPN produkt:

vulnerabilty overview:

If a null byte is appended to the filename of a yaws script (.yaws), the
yaws webserver returns a page containing the source code of the
according script. This flaw allows a malicious attacker to analyse the
source code of the entire web application, which might result in the
attacker gaining sensitiv information like passwords.

A new release (1.56) as well as a patch is available at


More information about the erlang-questions mailing list