Security issue with happstack-server < 7.5.1 && base < 4.10

Skip to first unread message

Jeremy Shaw

Mar 31, 2018, 2:48:13 PM3/31/18
to HAppS

There is a security vulnerability in (nearly) all versions of happstack-server < 7.5.1 *if* you are building with base < 4.10. (Which first shipped with GHC 8.2.1).

If you are not already, it is recommended that you recompile your code against base 4.10 or higher or upgrade to happstack-server 7.5.1.

In base < 4.10, openBinaryTempFile did not disallow path separators in the filepath and happstack-server did not sanitize the user supplied data. As a result, it is possible to form a request which creates a temporary file anywhere the server has write permission. There are a few restrictions:

 1. it will not overwrite an existing file
 2. the filename has a pseudo-random string inserted before the suffix making it harder to guess the name
 3. the file is removed once the request has been handled by the server

The exploit was reported here,

This is the patch that was applied:

Big thanks to Hamid Ebadi for reporting this issue.

- jeremy
Reply all
Reply to author
0 new messages