security upgrade for Yaws
Claes Wikstrom
klacke@REDACTED
Thu Jun 16 14:35:58 CEST 2005
A security bug was found in Yaws by SEC-Consult Unternehmensberatung
GmbH while they were doing security assements on the Nortel SSL-VPN produkt:
vulnerabilty overview:
---------------
If a null byte is appended to the filename of a yaws script (.yaws), the
yaws webserver returns a page containing the source code of the
according script. This flaw allows a malicious attacker to analyse the
source code of the entire web application, which might result in the
attacker gaining sensitiv information like passwords.
A new release (1.56) as well as a patch is available at
http://yaws.hyber.org
/klacke
More information about the erlang-questions
mailing list