Hi. I just released a security update for mathopd. (mathopd 1.5p7)

The problem:

If you use the * construct in your config, as in

 Control {
    Alias /
    Location /var/www/*
  }

then the * will be substituted with the value of the Host header that was supplied by the client. However this occurs after path translation, and without input verification could lead to directory traversal, exposing files outside of /var/www.

If you are still using Mathopd, and use the * feature, you should upgrade as soon as possible.

If you do not use the * feature, than you are not at risk. But you may still want to upgrade.

Vulnerable versions of the software: all 1.4 versions, and all 1.5 versions prior to 1.5p7

Thanks to Mateusz Goik for pointing this out.

Cheers
Michiel

Reply via email to