security upgrade for Yaws

Michael McDaniel <>
Thu Jun 16 17:24:35 CEST 2005


	Thanks for your quick response.
	(And thanks to SEC-Consult)

~Michael

On Thu, Jun 16, 2005 at 02:35:58PM +0200, Claes Wikstrom wrote:
> 
> 
> A security bug was found in Yaws by SEC-Consult Unternehmensberatung
> GmbH while they were doing security assements on the Nortel SSL-VPN produkt:
> 
> 
> 
> 
> 
> vulnerabilty overview:
> ---------------
> 
> If a null byte is appended to the filename of a yaws script (.yaws), the
> yaws webserver returns a page containing the source code of the
> according script. This flaw allows a malicious attacker to analyse the
> source code of the entire web application, which might result in the
> attacker gaining sensitiv information like passwords.
> 
> 
> 
> A new release (1.56) as well as a patch is available at
> http://yaws.hyber.org
> 
> 
> /klacke



More information about the erlang-questions mailing list