title: Source Code Disclosure in Yaws Webserver
program: Yaws Webserver
vulnerable version: 1.55 and earlier
homepage: http://yaws.hyber.org
found: 2005-06-01
by: M. Eiszner / SEC-CONSULT / www.sec-consult.com
=======================================================================
Yaws is a HTTP high perfomance 1.1 webserver. Two separate modes of
operations are supported:
* Standalone mode where Yaws runs as a regular webserver daemon.
This is the default mode.
* Embedded mode where Yaws runs as an embedded webserver in another
erlang application.
Yaws is entirely written in Erlang furthermore it is a multithreaded
webserver where one Erlang light weight process is used to handle each
client.
If a null byte is appended to the filename of a yaws script (.yaws), the
yaws webserver returns a page containing the source code of the
according script. This flaw allows a malicious attacker to analyse the
source code of the entire web application, which might result in the
attacker gaining sensitiv information like passwords.
The yaws homepage itself was vulnerable to the attack. Opening the link
http://yaws.hyber.org/dynamic.yaws%00 in a browser resulted in the
display of the following code (only the first couple of lines…):
— code —
<erl>
box(Str) ->
{'div',[{class,"box"}],
{pre, [], yaws_api:htmlize(Str)}}.
tbox(T) ->
box(lists:flatten(io_lib:format("~p",[T]))).
…
— /code —
It seems that version 1.55 as well as all prior versions are vulnerable
to the attack described above.
vendor notified: 2005-06-16
vendor response: 2005-06-16
patch available: 2005-06-16
Vendor was extremly fast to response and post a fix. This is what
vendor vulnerability management should be like!
Download Patch from: http://yaws.hyber.org/yaws-1.55_to_1.56.patch
SEC Consult Unternehmensberatung GmbH
Office Vienna
Blindengasse 3
A-1080 Wien
Austria
Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com
EOF Daniel Fabian / @2005
d.fabian at sec-consult dot com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/