Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

HTTP::Body before 1.23 for Perl is still vulnerable to CVE-2013-4407

Related Vulnerabilities: CVE-2013-4407  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
HTTP::Body before 1.23 for Perl is still vulnerable to CVE-2013-4407

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Stig Palmquist &lt;stig () stig io&gt;

Date: Sun, 07 Apr 2024 12:47:55 +0000

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
HTTP::Body after 1.07 and before 1.23 for Perl handles multipart file uploads as
temporary files while retaining file extensions. An attacker can provide crafted
filenames containing for example shell metacharacters, affecting programs that
expect these temporary filenames to be well formed.

Version 1.23 of HTTP::Body has been fixed upstream to set a static ".upload"
extension, overriding user provided extensions by default.

Users are recommended to update to version 1.23 or later.

NOTE: Currently, the CVE description incorrectly indicate that this was fixed
in versions after 1.17.

Version 1.18 provided:
- A global variable to set the regex used to validate extensions
- A code comment containing a stricter regex
- No change to the default behavior

Debian and other distributions are carrying a patch for CVE-2013-4407 including
the stricter regex for versions before 1.23.

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4407
https://metacpan.org/release/GETTY/HTTP-Body-1.23/view/lib/HTTP/Body.pm#NOTES
https://metacpan.org/release/GETTY/HTTP-Body-1.18/source/lib/HTTP/Body/MultiPart.pm#L262
https://salsa.debian.org/perl-team/modules/packages/libhttp-body-perl/-/blob/8645c1b4b6a39f6d82b7a05869d567ae4e8f0e24/debian/patches/CVE-2013-4407.patch

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

HTTP::Body before 1.23 for Perl is still vulnerable to CVE-2013-4407 Stig Palmquist (Apr 07)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started