Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GoAhead Security Alerts #99

Open
embedthis opened this Issue Oct 22, 2014 · 5 comments

Comments

Projects
None yet
2 participants
@ghost
Copy link
Collaborator

ghost commented Oct 22, 2014

GoAhead Security Alerts

Notification Alert Log for GoAhead security issues. Subscribe to be notified when alerts are posted to log.

@embedthis embedthis added the security label Oct 22, 2014

@embedthis embedthis reopened this Nov 10, 2014

@ghost

This comment has been minimized.

Copy link
Collaborator Author

ghost commented Nov 24, 2014

SSL POODLE Vulnerability

10-21-2014

The “POODLE” vulnerability has been identified where the SSL 3.0 protocol can be exploited to decrypt cipher text using a padded side-channel attack. The attack tricks browsers into downgrading to use SSL 3.0 which is vulnerable. Appweb 4.X and 5.X versions should be patched to ensure SSL 3 is disabled. For further details read:

GoAhead Issue #98

Recommended action: Upgrade OpenSSL as soon as possible.

A patch will be posted on the 10-29-2014 in the GoAhead 3.4.1 release.

@ghost

This comment has been minimized.

Copy link
Collaborator Author

ghost commented Nov 24, 2014

URI Parsing Dot Segments

11-24-2014

GoAhead WebServer contains a URI parsing flaw permits directory traversal and a denial of service. A specially crafted request URL can expose directory and file contents. This flaw exists because the application correctly handle URLs that contain ".*" filename segments. For further details read:

GoAhead Issue #106

Recommended action: Upgrade to 3.4.2 or later as soon as possible.

A patch will be posted on the 11-24-2014 in the GoAhead 3.4.2 release.

@ghost

This comment has been minimized.

Copy link
Collaborator Author

ghost commented Apr 10, 2015

Digest Authentication Parsing

4-9-2015

GoAhead WebServer contains a Digest Authentication Header parsing flaw that fails to reject invalid digest headers and incorrectly authenticates the user.

GoAhead Issue #121

Recommended action: Upgrade to 3.4.4 or later as soon as possible, or apply the patch in the Issue 115.

A patch will be posted on the 5-30-2015 in the GoAhead 3.4.4 release.

@mobsense

This comment has been minimized.

Copy link

mobsense commented Jun 9, 2017

CGI Remote Code Execution

6-9-2017

GoAhead 2.x and 3.x have a remote code execution vulnerability in the CGI handler on Linux. This permits code injection at the privilege level of the CGI process. This impacts those sites that use dynamically linked CGI programs on Linux with GoAhead.

GoAhead Security Notice #262
GoAhead Issue #249

Recommended action: Upgrade to GoAhead 3.6.5 immediately if using CGI on Linux with dynamic linking.

@mobsense

This comment has been minimized.

Copy link

mobsense commented Feb 12, 2018

NULL dereference for invalid Host and If-Modified-* headers

2-13-18

GoAhead 3.x and 4.0.0 have a denial of service vulnerability that can be provoked via specially crafted If-modified or Host HTTP headers.

GoAhead Security Notice #264

Recommended action: Upgrade to GoAhead 4.0.1 immediately or apply the patch described in the security notice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.