Directory traversal vulnerability on Windows platform #447
Comments
|
I may test things |
|
This may turn helpful: http://www.erlang.org/doc/man/filename.html#split-1 , honor |
|
another precausion would be to reply with 400/403 for names considered somewhat dangerous -- those containing |
|
Fixed. Thanks for the help! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A directory traversal vulnerability affecting all Windows platforms has been discovered. Please follow these instructions to find out if you are affected. Please take immediate action if you are.
Am I affected?
You are if you match all of the following requirements:
cowboy_static(orcowboy_http_staticin older versions)How serious is it?
This vulnerability allows an attacker to request any file from your system (only limited by the access rights of the user running the Erlang VM). The attacker cannot list files through this vulnerability. This however does not reduce the seriousness of this vulnerability as an attacker can always use brute force or any other method to try to find files on your system.
How can I fix it?
No patch is currently available.
You should temporarily switch to using IIS or any other web server for serving the static files, or use a CDN instead.
How can I make sure this will not happen again?
A fully cross-platform fix will be pushed to Cowboy in the coming days.
This issue exists essentially because Windows isn't a supported platform and we do not have the resources or knowledge to make the Windows experience safe and smooth.
If you are a Windows user, you can ensure that kind of issue does not happen again by becoming a regular contributor and making sure the team is aware of any potential issue that may arise on Windows.
Why disclose?
Essentially for three reasons:
Please ping this ticket if you are affected. Ignore if you are not. Thanks.
The text was updated successfully, but these errors were encountered: