You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A directory traversal vulnerability affecting all Windows platforms has been discovered. Please follow these instructions to find out if you are affected. Please take immediate action if you are.
Am I affected?
You are if you match all of the following requirements:
You run Cowboy in production on the Windows platform
You make use of cowboy_static (or cowboy_http_static in older versions)
How serious is it?
This vulnerability allows an attacker to request any file from your system (only limited by the access rights of the user running the Erlang VM). The attacker cannot list files through this vulnerability. This however does not reduce the seriousness of this vulnerability as an attacker can always use brute force or any other method to try to find files on your system.
How can I fix it?
No patch is currently available.
You should temporarily switch to using IIS or any other web server for serving the static files, or use a CDN instead.
How can I make sure this will not happen again?
A fully cross-platform fix will be pushed to Cowboy in the coming days.
This issue exists essentially because Windows isn't a supported platform and we do not have the resources or knowledge to make the Windows experience safe and smooth.
If you are a Windows user, you can ensure that kind of issue does not happen again by becoming a regular contributor and making sure the team is aware of any potential issue that may arise on Windows.
Why disclose?
Essentially for three reasons:
Considering the known user base, a very low number of people might be hit by this issue
A temporary fix is readily available
Community help is needed to ensure a proper fix gets merged
Please ping this ticket if you are affected. Ignore if you are not. Thanks.
The text was updated successfully, but these errors were encountered:
A directory traversal vulnerability affecting all Windows platforms has been discovered. Please follow these instructions to find out if you are affected. Please take immediate action if you are.
Am I affected?
You are if you match all of the following requirements:
cowboy_static
(orcowboy_http_static
in older versions)How serious is it?
This vulnerability allows an attacker to request any file from your system (only limited by the access rights of the user running the Erlang VM). The attacker cannot list files through this vulnerability. This however does not reduce the seriousness of this vulnerability as an attacker can always use brute force or any other method to try to find files on your system.
How can I fix it?
No patch is currently available.
You should temporarily switch to using IIS or any other web server for serving the static files, or use a CDN instead.
How can I make sure this will not happen again?
A fully cross-platform fix will be pushed to Cowboy in the coming days.
This issue exists essentially because Windows isn't a supported platform and we do not have the resources or knowledge to make the Windows experience safe and smooth.
If you are a Windows user, you can ensure that kind of issue does not happen again by becoming a regular contributor and making sure the team is aware of any potential issue that may arise on Windows.
Why disclose?
Essentially for three reasons:
Please ping this ticket if you are affected. Ignore if you are not. Thanks.
The text was updated successfully, but these errors were encountered: