| VID |
22362 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Yaws web server is vulnerable to a source code disclosure vulnerability. Yaws is a HTTP server written in Erlang. Yaws version 1.55 and earlier versions could allow a remote attacker to view the source code for yaws scripts via a request to a yaws script with a trailing %00 (null). By requesting a .yaws script following by %00, a remote attacker could obtain the source code for the requested file.
* References:
http://www.sec-consult.com/181.html
http://secunia.com/advisories/15740/
http://marc.theaimsgroup.com/?l=bugtraq&m=111927717726371&w=2
http://www.osvdb.org/17375
* Platforms Affected:
Yaws version 1.55 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Yaws (1.56 or later), available from the Yaws Web site at http://yaws.hyber.org/ |
| Related URL |
CVE-2005-2008 (CVE) |
| Related URL |
13981 (SecurityFocus) |
| Related URL |
21037 (ISS) |
|
