FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

h2o -- directory traversal vulnerability

Affected packages
h2o < 1.4.5

Details

VuXML ID 31ea7f73-5c55-11e5-8607-74d02b9a84d5
Discovery 2015-09-14
Entry 2015-09-16

Yakuzo reports:

H2O (up to version 1.4.4 / 1.5.0-beta1) contains a flaw in its URL normalization logic.

When file.dir directive is used, this flaw allows a remote attacker to retrieve arbitrary files that exist outside the directory specified by the directive.

H2O version 1.4.5 and version 1.5.0-beta2 have been released to address this vulnerability.

Users are advised to upgrade their servers immediately.

The vulnerability was reported by: Yusuke OSUMI.

References

CVE Name CVE-2015-5638
URL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5638