Seagull 0.6.3 Remote File Disclosure Vulnerability - Please Upgrade

January 24, 2008 01:14, contributed by: seagull

Well the title says it all, but I don't think this is a reason for anyone to have a heart attack, aside from me but I'm recovered now

Please download Seagull 0.6.4 which includes the small fix required to solve the file disclosure problem. 0.6.3 is no longer available.

As the release has only been out <24 hours I doubt there are many production sites running on the vulnerable code, but if you were svn updating a live site, a very bad practice by the way, then svn up again

The problem: very simple, some recent code we introduced to merge, compress and cache CSS and js files was accepting arbitrary paths from GET - ouch. The checking is now much more stringent.

Thanks to the gentleman over at milw0rm.com who posted the flaw less than 24hrs after the release went out. While he didn't inform me or anyone I know of, Google alerts notified me of his announcement. In my view this is open source (with a little help from Google) working at its best.

Finally, please note that the title of the exploit article is inaccurate, it claims versions <= 0.6.3 are affected, this is not true, the affected optimizer.php file was only introduced in 0.6.3.

[back to list]

comments

be the first to leave a comment

Enter your comment Note: Comments must be approved before being displayed.

Name:

*Email:

Homepage:

*Comment:

* Please enter the number shown below in the relevant field

   #     #####    #####   ####### 
  ##    #     #  #     #  #    #  
 # #          #  #            #   
   #     #####   ######      #    
   #    #        #     #    #     
   #    #        #     #    #     
 #####  #######   #####     #