On Wed, Nov 17, 2010 at 1:06 AM, Moritz Muehlenhoff <j...@debian.org> wrote: > > The following vulnerability has been reported in YAWS: > > | Directory traversal vulnerability in Yaws 1.89 allows remote attackers > | to read arbitrary files via ..\ (dot dot backslash) and other > | sequences. > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4181
It seems like this vulnerability is specific for MS Windows. I can't reproduce it on Linux where backslash isn't a directory delimiter (though I've tied only 1.88 yet, so may be 1.89 is still vulnerable, I'll check it). > > This seems unfixed/unnoticed upstream AFAICT. Please get in touch with > upstream. OK. -- Sergei Golovan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
