CVE-2014-9707 Information

Description

EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot) which allows remote attackers to conduct directory traversal attacks cause a denial of service (heap-based buffer overflow and crash) or possibly execute arbitrary code via a crafted URI.

Reference

http://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html http://seclists.org/fulldisclosure/2015/Mar/157 http://www.securityfocus.com/archive/1/535027/100/0/threaded http://www.securitytracker.com/id/1032208 https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77 https://github.com/embedthis/goahead/issues/106