security upgrade for Yaws
Michael McDaniel
erlang@REDACTED
Thu Jun 16 17:24:35 CEST 2005
Thanks for your quick response.
(And thanks to SEC-Consult)
~Michael
On Thu, Jun 16, 2005 at 02:35:58PM +0200, Claes Wikstrom wrote:
>
>
> A security bug was found in Yaws by SEC-Consult Unternehmensberatung
> GmbH while they were doing security assements on the Nortel SSL-VPN produkt:
>
>
>
>
>
> vulnerabilty overview:
> ---------------
>
> If a null byte is appended to the filename of a yaws script (.yaws), the
> yaws webserver returns a page containing the source code of the
> according script. This flaw allows a malicious attacker to analyse the
> source code of the entire web application, which might result in the
> attacker gaining sensitiv information like passwords.
>
>
>
> A new release (1.56) as well as a patch is available at
> http://yaws.hyber.org
>
>
> /klacke
More information about the erlang-questions
mailing list