Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Debian Security Advisory DSA 2801-1 (libhttp-body-perl - design error)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Jonathan Dolle reported a design error in HTTP::Body, a Perl module for processing data from HTTP POST requests. The HTTP body multipart parser creates temporary files which preserve the suffix of the uploaded file. An attacker able to upload files to a service that uses HTTP::Body::Multipart could potentially execute commands on the server if these temporary filenames are used in subsequent commands without further checks. This update restricts the possible suffixes used for the created temporary files. The oldstable distribution (squeeze) is not affected by this problem.
Affected Software
Affected Software
libhttp-body-perl on Debian Linux
Detection Method
Detection Method
This check tests the installed software version using the apt package manager.
Solution
Solution
For the stable distribution (wheezy), this problem has been fixed in version 1.11-1+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1.17-2. For the unstable distribution (sid), this problem has been fixed in version 1.17-2. We recommend that you upgrade your libhttp-body-perl packages.