OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-30 08:13:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #353 from alexanderkjall/master

Browse Source 
Missing sanitazion in mozwire allows local file overwrite of files ending in .conf
This commit is contained in:
Sergey "Shnatsel" Davidoff
2020-08-21 02:56:24 +02:00
committed by GitHub
parent 8fba4e52f3 ba84c3b5f6
commit 9eb3f9df91
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
crates/mozwire/RUSTSEC-0000-0000.toml Normal file
View File

@@ -0,0 +1,20 @@
[advisory]
id = "RUSTSEC-0000-0000"
package = "mozwire"
date = "2020-08-18"
title = "Missing sanitazion in mozwire allows local file overwrite of files ending in .conf"
url = "https://github.com/NilsIrl/MozWire/issues/14"
categories = []
keywords = ["file-overwrite"]
description = """
The client software downloaded a list of servers from mozilla's servers and created local files named
after the hostname field in the json document.
No verification of the content of the string was made, and it could therefore have included '../' leading to path traversal.
This allows an attacker in controll of mozilla's servers to overwrite/create local files named .conf.
The flaw was corrected by sanitizing the hostname field.
"""
[versions]
patched = ["> 0.4.1"]