diff options
Diffstat (limited to 'archives/extend/2013-February/000065.html')
-rw-r--r-- | archives/extend/2013-February/000065.html | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/archives/extend/2013-February/000065.html b/archives/extend/2013-February/000065.html new file mode 100644 index 00000000..8747e30f --- /dev/null +++ b/archives/extend/2013-February/000065.html @@ -0,0 +1,119 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML> + <HEAD> + <TITLE> [99s-extend] Directory traversal vulnerability on Windows platform + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Directory%20traversal%20vulnerability%20on%20Windows%20platform&In-Reply-To=%3C5128E5CF.5010106%40ninenines.eu%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <style type="text/css"> + pre { + white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */ + } + </style> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000064.html"> + + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[99s-extend] Directory traversal vulnerability on Windows platform</H1> + <B>Loïc Hoguin</B> + <A HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Directory%20traversal%20vulnerability%20on%20Windows%20platform&In-Reply-To=%3C5128E5CF.5010106%40ninenines.eu%3E" + TITLE="[99s-extend] Directory traversal vulnerability on Windows platform">essen at ninenines.eu + </A><BR> + <I>Sat Feb 23 16:52:47 CET 2013</I> + <P><UL> + <LI>Previous message: <A HREF="000064.html">[99s-extend] Cowboy 0.8.1 +</A></li> + + <LI> <B>Messages sorted by:</B> + <a href="date.html#65">[ date ]</a> + <a href="thread.html#65">[ thread ]</a> + <a href="subject.html#65">[ subject ]</a> + <a href="author.html#65">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>A directory traversal vulnerability affecting all Windows platforms has +been discovered. Please follow these instructions to find out if you are +affected. Please take immediate action if you are. + +### Am I affected? + +You are if you match all of the following requirements: + + * You run Cowboy in production on the Windows platform + * You make use of `cowboy_static` (or `cowboy_http_static` in older +versions) + +### How serious is it? + +This vulnerability allows an attacker to request any file from your +system (only limited by the access rights of the user running the Erlang +VM). The attacker cannot list files through this vulnerability. This +however does not reduce the seriousness of this vulnerability as an +attacker can always use brute force or any other method to try to find +files on your system. + +### How can I fix it? + +No patch is currently available. + +You should temporarily switch to using IIS or any other web server for +serving the static files, or use a CDN instead. + +### How can I make sure this will not happen again? + +A fully cross-platform fix will be pushed to Cowboy in the coming days. + +This issue exists essentially because Windows isn't a supported platform +and we do not have the resources or knowledge to make the Windows +experience safe and smooth. + +If you are a Windows user, you can ensure that kind of issue does not +happen again by becoming a regular contributor and making sure the team +is aware of any potential issue that may arise on Windows. + +### Why disclose? + +Essentially for three reasons: + + * Considering the known user base, a very low number of people might +be hit by this issue + * A temporary fix is readily available + * Community help is needed to ensure a proper fix gets merged + +The following ticket can be used for tracking this issue: + + <A HREF="https://github.com/extend/cowboy/issues/447">https://github.com/extend/cowboy/issues/447</A> + +Please ping this ticket if you are affected. Ignore if you are not. Thanks. + +-- +Loïc Hoguin +Erlang Cowboy +Nine Nines +<A HREF="http://ninenines.eu">http://ninenines.eu</A> + +</PRE> + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000064.html">[99s-extend] Cowboy 0.8.1 +</A></li> + + <LI> <B>Messages sorted by:</B> + <a href="date.html#65">[ date ]</a> + <a href="thread.html#65">[ thread ]</a> + <a href="subject.html#65">[ subject ]</a> + <a href="author.html#65">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://lists.ninenines.eu/listinfo/extend">More information about the Extend +mailing list</a><br> +</body></html> |