Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:8890
HistoryJun 17, 2005 - 12:00 a.m.

[Full-disclosure] Source Code Disclosure in Yaws Webserver <1.56

2005-06-1700:00:00
vulners.com
11
JSON

SEC-CONSULT Security Advisory < 20050616-0 >

              title: Source Code Disclosure in Yaws Webserver
            program: Yaws Webserver
 vulnerable version: 1.55 and earlier
           homepage: http://yaws.hyber.org
              found: 2005-06-01
                 by: M. Eiszner / SEC-CONSULT / www.sec-consult.com

=======================================================================

vendor description:

Yaws is a HTTP high perfomance 1.1 webserver. Two separate modes of
operations are supported:
* Standalone mode where Yaws runs as a regular webserver daemon.
This is the default mode.
* Embedded mode where Yaws runs as an embedded webserver in another
erlang application.

Yaws is entirely written in Erlang furthermore it is a multithreaded
webserver where one Erlang light weight process is used to handle each
client.

vulnerabilty overview:

If a null byte is appended to the filename of a yaws script (.yaws), the
yaws webserver returns a page containing the source code of the
according script. This flaw allows a malicious attacker to analyse the
source code of the entire web application, which might result in the
attacker gaining sensitiv information like passwords.

proof of concept:

The yaws homepage itself was vulnerable to the attack. Opening the link
http://yaws.hyber.org/dynamic.yaws&#37;00 in a browser resulted in the
display of the following code (only the first couple of lines…):

— code —
<erl>

box(Str) ->
{'div',[{class,"box"}],
{pre, [], yaws_api:htmlize(Str)}}.

tbox(T) ->
box(lists:flatten(io_lib:format("~p",[T]))).


— /code —

vulnerable versions:

It seems that version 1.55 as well as all prior versions are vulnerable
to the attack described above.

vendor status:

vendor notified: 2005-06-16
vendor response: 2005-06-16
patch available: 2005-06-16

Vendor was extremly fast to response and post a fix. This is what
vendor vulnerability management should be like!

Download Patch from: http://yaws.hyber.org/yaws-1.55_to_1.56.patch

SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com

EOF Daniel Fabian / @2005
d.fabian at sec-consult dot com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
JSON