Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
GoAhead Security Alerts #99
SSL POODLE Vulnerability
The “POODLE” vulnerability has been identified where the SSL 3.0 protocol can be exploited to decrypt cipher text using a padded side-channel attack. The attack tricks browsers into downgrading to use SSL 3.0 which is vulnerable. Appweb 4.X and 5.X versions should be patched to ensure SSL 3 is disabled. For further details read:
GoAhead Issue #98
Recommended action: Upgrade OpenSSL as soon as possible.
A patch will be posted on the 10-29-2014 in the GoAhead 3.4.1 release.
URI Parsing Dot Segments
GoAhead WebServer contains a URI parsing flaw permits directory traversal and a denial of service. A specially crafted request URL can expose directory and file contents. This flaw exists because the application correctly handle URLs that contain ".*" filename segments. For further details read:
GoAhead Issue #106
Recommended action: Upgrade to 3.4.2 or later as soon as possible.
A patch will be posted on the 11-24-2014 in the GoAhead 3.4.2 release.
Digest Authentication Parsing
GoAhead WebServer contains a Digest Authentication Header parsing flaw that fails to reject invalid digest headers and incorrectly authenticates the user.
GoAhead Issue #121
Recommended action: Upgrade to 3.4.4 or later as soon as possible, or apply the patch in the Issue 115.
A patch will be posted on the 5-30-2015 in the GoAhead 3.4.4 release.
CGI Remote Code Execution
GoAhead 2.x and 3.x have a remote code execution vulnerability in the CGI handler on Linux. This permits code injection at the privilege level of the CGI process. This impacts those sites that use dynamically linked CGI programs on Linux with GoAhead.
Recommended action: Upgrade to GoAhead 3.6.5 immediately if using CGI on Linux with dynamic linking.
NULL dereference for invalid Host and If-Modified-* headers
GoAhead 3.x and 4.0.0 have a denial of service vulnerability that can be provoked via specially crafted If-modified or Host HTTP headers.
GoAhead Security Notice #264
Recommended action: Upgrade to GoAhead 4.0.1 immediately or apply the patch described in the security notice.