|Security advisory & SabreDAV 1.6.9, 1.7.7 and 1.8.5 released (CVE-2013-1939)||Evert Pot||4/11/13 6:05 AM|
I just released version 1.6.9, 1.7.7 and 1.8.5.
These releases contain a security fix for Windows users. If you are running a SabreDAV version 1.6.7, 1.7.5 or 1.8.3 or older on a Windows machine, you're strongly encouraged to upgrade.
To do so, grab the latest zip from:
composer update sabre/dav
The problem was in serving of icons and images by the 'HTML\Browser' plugin. Because windows uses backslash as a path separator, the base path was not correctly checked, making it possible to read any accessible file from the filesystem.
As a workaround, you setup the plugin as such:
$plugin = new Sabre\DAV\Browser\Plugin(true, false);
// 1.6, 1.7
$plugin = new Sabre_DAV_Browser_Plugin(true, false);
To disable this feature completely.
Thanks to Lukas Reschke for reporting this issue.