This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Gisle Aas First view 2010-07-06
Product Libwww-Perl Last view 2011-05-13
Version 5.35 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:gisle_aas:libwww-perl

Activity : Overall

Related : CVE

  Date Alert Description
4.3 2011-05-13 CVE-2011-0633

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.

6.8 2010-07-06 CVE-2010-2253

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

CWE : Common Weakness Enumeration

%idName
100% (2) CWE-20 Improper Input Validation

Open Source Vulnerability Database (OSVDB)

id Description
73397 Perl libwww-perl Net::HTTPS Module SSL Certificate Common Field Name Validati...
66107 libwww-perl lwp-download Multiple Header Dot Character Arbitrary File Overwrite

OpenVAS Exploits

id Description
2010-12-02 Name : Fedora Update for perl-libwww-perl FEDORA-2010-15405
File : nvt/gb_fedora_2010_15405_perl-libwww-perl_fc14.nasl
2010-11-16 Name : Fedora Update for perl-libwww-perl FEDORA-2010-15532
File : nvt/gb_fedora_2010_15532_perl-libwww-perl_fc13.nasl
2010-10-10 Name : FreeBSD Ports: p5-libwww
File : nvt/freebsd_p5-libwww.nasl
2010-09-07 Name : Mandriva Update for perl-libwww-perl MDVSA-2010:167 (perl-libwww-perl)
File : nvt/gb_mandriva_MDVSA_2010_167.nasl
2010-09-07 Name : Ubuntu Update for libwww-perl vulnerability USN-981-1
File : nvt/gb_ubuntu_USN_981_1.nasl

Nessus® Vulnerability Scanner

id Description
2014-06-13 Name: The remote openSUSE host is missing a security update.
File: suse_11_4_perl-libwww-perl-110526.nasl - Type: ACT_GATHER_INFO
2014-02-05 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201402-04.nasl - Type: ACT_GATHER_INFO
2013-09-04 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2011-17.nasl - Type: ACT_GATHER_INFO
2011-05-31 Name: The remote SuSE 11 host is missing a security update.
File: suse_11_perl-libwww-perl-110523.nasl - Type: ACT_GATHER_INFO
2010-11-03 Name: The remote Fedora host is missing a security update.
File: fedora_2010-15405.nasl - Type: ACT_GATHER_INFO
2010-11-03 Name: The remote Fedora host is missing a security update.
File: fedora_2010-15532.nasl - Type: ACT_GATHER_INFO
2010-09-01 Name: The remote FreeBSD host is missing a security-related update.
File: freebsd_pkg_3a7c5fc4b50c11df977becc31dd8ad06.nasl - Type: ACT_GATHER_INFO
2010-09-01 Name: The remote Mandriva Linux host is missing a security update.
File: mandriva_MDVSA-2010-167.nasl - Type: ACT_GATHER_INFO
2010-09-01 Name: The remote Ubuntu host is missing a security-related patch.
File: ubuntu_USN-981-1.nasl - Type: ACT_GATHER_INFO