FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

p5-libwww -- possibility to remote servers to create file with a .(dot) character

Affected packages
p5-libwww < 5.835

Details

VuXML ID 3a7c5fc4-b50c-11df-977b-ecc31dd8ad06
Discovery 2010-06-09
Entry 2010-08-31

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a `.' (dot) character, which allows remote servers to create or overwrite files via a 3xx redirect to a URL with a crafted filename or a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

References

CVE Name CVE-2010-2253
URL http://cpansearch.perl.org/src/GAAS/libwww-perl-5.836/Changes