Almaember almaember at disroot.org
Sat May 15 12:09:36 BST 2021
- - - - - - - - - - - - - - - - - - -
On 13/05/2021 07:46, Remco wrote:
A couple of days ago I've found and fix a path traversal issue in the
dezhemini (aka dʒɛmɪni) gemini server software. A specially crafted URL
will allow an attacker to read arbitrary files from the host file
system.
The issue is fixed in commit 2dba1ee1c875b07ca2e04f8bf2d03bfc5b2afc5f.
All versions prior to this commit are vulnerable to this type of
intrusion.
Thanks for notifying everyone! This seems to be a common security issue with Gemini servers.
A question to everybody reading the list, how badly would it break the spec to simply block any request whose URLs contain ".." as a standalone path-element?
~almaember