security upgrade for Yaws

Claes Wikstrom <>
Thu Jun 16 14:35:58 CEST 2005



A security bug was found in Yaws by SEC-Consult Unternehmensberatung
GmbH while they were doing security assements on the Nortel SSL-VPN produkt:





vulnerabilty overview:
---------------

If a null byte is appended to the filename of a yaws script (.yaws), the
yaws webserver returns a page containing the source code of the
according script. This flaw allows a malicious attacker to analyse the
source code of the entire web application, which might result in the
attacker gaining sensitiv information like passwords.



A new release (1.56) as well as a patch is available at
http://yaws.hyber.org


/klacke



More information about the erlang-questions mailing list