Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
A security vulnerability affecting GoAhead versions 3-4 up to and including 4.0.0 with specially crafted if-modified or host headers has been identified. This bulletin discusses this flaw and its implications.
A HTTP POST request with specially crafted, invalid if-modified and/or Host header fields may cause a NULL dereferences and thus cause a denial of service.
If the "host" field of a http request does not contain a closing IPv6 ']' character a NULL dereference will occur.
If the "if-modified-since" or "if-unmodified-since" headers contain an invalid time such that the month decodes to be greater than 11, a NULL dereference will occur.
Versions up to and including 4.0.0. Fixed in 4.0.1.
Medium. An attacker could cause a denial of service.
Apply the quick patch below to GoAhead 3.X to 4.X. Alternatively, upgrade to GoAhead 4.0.1.
Please contact Embedthis if you require further information, test code or assistance at email@example.com.