[99s-extend] Directory traversal vulnerability on Windows platform

Loïc Hoguin essen at ninenines.eu
Sat Feb 23 16:52:47 CET 2013

Previous message: [99s-extend] Cowboy 0.8.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A directory traversal vulnerability affecting all Windows platforms has 
been discovered. Please follow these instructions to find out if you are 
affected. Please take immediate action if you are.

### Am I affected?

You are if you match all of the following requirements:

  *  You run Cowboy in production on the Windows platform
  *  You make use of `cowboy_static` (or `cowboy_http_static` in older 
versions)

### How serious is it?

This vulnerability allows an attacker to request any file from your 
system (only limited by the access rights of the user running the Erlang 
VM). The attacker cannot list files through this vulnerability. This 
however does not reduce the seriousness of this vulnerability as an 
attacker can always use brute force or any other method to try to find 
files on your system.

### How can I fix it?

No patch is currently available.

You should temporarily switch to using IIS or any other web server for 
serving the static files, or use a CDN instead.

### How can I make sure this will not happen again?

A fully cross-platform fix will be pushed to Cowboy in the coming days.

This issue exists essentially because Windows isn't a supported platform 
and we do not have the resources or knowledge to make the Windows 
experience safe and smooth.

If you are a Windows user, you can ensure that kind of issue does not 
happen again by becoming a regular contributor and making sure the team 
is aware of any potential issue that may arise on Windows.

### Why disclose?

Essentially for three reasons:

  *  Considering the known user base, a very low number of people might 
be hit by this issue
  *  A temporary fix is readily available
  *  Community help is needed to ensure a proper fix gets merged

The following ticket can be used for tracking this issue:

   https://github.com/extend/cowboy/issues/447

Please ping this ticket if you are affected. Ignore if you are not. Thanks.

-- 
Loïc Hoguin
Erlang Cowboy
Nine Nines
http://ninenines.eu

Previous message: [99s-extend] Cowboy 0.8.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Extend mailing list