OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-18 01:18:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Missing sanitazion in mozwire allows local file overwrite of files ending in .conf

Browse Source
This commit is contained in:
Alexander Kjäll
2020-08-19 13:19:03 +02:00
parent 8fba4e52f3
commit ba84c3b5f6
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
crates/mozwire/RUSTSEC-0000-0000.toml Normal file
View File

@@ -0,0 +1,20 @@
[advisory]
id = "RUSTSEC-0000-0000"
package = "mozwire"
date = "2020-08-18"
title = "Missing sanitazion in mozwire allows local file overwrite of files ending in .conf"
url = "https://github.com/NilsIrl/MozWire/issues/14"
categories = []
keywords = ["file-overwrite"]
description = """
The client software downloaded a list of servers from mozilla's servers and created local files named
after the hostname field in the json document.
No verification of the content of the string was made, and it could therefore have included '../' leading to path traversal.
This allows an attacker in controll of mozilla's servers to overwrite/create local files named .conf.
The flaw was corrected by sanitizing the hostname field.
"""
[versions]
patched = ["> 0.4.1"]