Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
A security vulnerability affecting GoAhead versions GoAhead 3.X with specially crafted upload requests has been identified. This bulletin discusses this flaw and its implications.
This issue is identified by CVE-2017-14149
A HTTP POST request with specially crafted, invalid upload fields may cause a NULL dereferences and thus cause a denial of service.
If the required "name" field of a file upload request is omitted, the upload handler may encounter a NULL dereference.
Versions 3.X. Fixed in 4.0 (which is API compatible with 3.X).
Medium. An attacker could cause a denial of service.
Apply the quick patch below to GoAhead 3.X. Alternatively, upgrade to GoAhead 4 when it is released. GoAhead 4.0 is highly compatible with GoAhead 3.6 and upgrading should be straightforward.
For GoAhead 3.X users, here is a quick patch:
A related patch should also be applied:
Please contact Embedthis if you require further information, test code or assistance at email@example.com.