Summary
| Detail | |||
|---|---|---|---|
| Vendor | Gisle Aas | First view | 2010-07-06 |
| Product | Libwww-Perl | Last view | 2011-05-13 |
| Version | 5.35 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:gisle_aas:libwww-perl | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 4.3 | 2011-05-13 | CVE-2011-0633 | The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned. |
| 6.8 | 2010-07-06 | CVE-2010-2253 | lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 100% (2) | CWE-20 | Improper Input Validation |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 73397 | Perl libwww-perl Net::HTTPS Module SSL Certificate Common Field Name Validati... |
| 66107 | libwww-perl lwp-download Multiple Header Dot Character Arbitrary File Overwrite |
OpenVAS Exploits
| id | Description |
|---|---|
| 2010-12-02 | Name : Fedora Update for perl-libwww-perl FEDORA-2010-15405 File : nvt/gb_fedora_2010_15405_perl-libwww-perl_fc14.nasl |
| 2010-11-16 | Name : Fedora Update for perl-libwww-perl FEDORA-2010-15532 File : nvt/gb_fedora_2010_15532_perl-libwww-perl_fc13.nasl |
| 2010-10-10 | Name : FreeBSD Ports: p5-libwww File : nvt/freebsd_p5-libwww.nasl |
| 2010-09-07 | Name : Mandriva Update for perl-libwww-perl MDVSA-2010:167 (perl-libwww-perl) File : nvt/gb_mandriva_MDVSA_2010_167.nasl |
| 2010-09-07 | Name : Ubuntu Update for libwww-perl vulnerability USN-981-1 File : nvt/gb_ubuntu_USN_981_1.nasl |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2014-06-13 | Name: The remote openSUSE host is missing a security update. File: suse_11_4_perl-libwww-perl-110526.nasl - Type: ACT_GATHER_INFO |
| 2014-02-05 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-201402-04.nasl - Type: ACT_GATHER_INFO |
| 2013-09-04 | Name: The remote Amazon Linux AMI host is missing a security update. File: ala_ALAS-2011-17.nasl - Type: ACT_GATHER_INFO |
| 2011-05-31 | Name: The remote SuSE 11 host is missing a security update. File: suse_11_perl-libwww-perl-110523.nasl - Type: ACT_GATHER_INFO |
| 2010-11-03 | Name: The remote Fedora host is missing a security update. File: fedora_2010-15405.nasl - Type: ACT_GATHER_INFO |
| 2010-11-03 | Name: The remote Fedora host is missing a security update. File: fedora_2010-15532.nasl - Type: ACT_GATHER_INFO |
| 2010-09-01 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_3a7c5fc4b50c11df977becc31dd8ad06.nasl - Type: ACT_GATHER_INFO |
| 2010-09-01 | Name: The remote Mandriva Linux host is missing a security update. File: mandriva_MDVSA-2010-167.nasl - Type: ACT_GATHER_INFO |
| 2010-09-01 | Name: The remote Ubuntu host is missing a security-related patch. File: ubuntu_USN-981-1.nasl - Type: ACT_GATHER_INFO |
