FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

p5-Dancer -- possible to abuse session cookie values

Affected packages
p5-Dancer < 1.3138

Details

VuXML ID 968d1e74-1740-11e5-a643-40a8f0757fb4
Discovery 2015-06-12
Entry 2015-06-20

Russell Jenkins reports:

It was possible to abuse session cookie values so that file-based session stores such as Dancer::Session::YAML or Dancer2::Session::YAML would attempt to read/write from any file on the filesystem with the same extension the file-based store uses, such as '*.yml' for the YAML stores.

References

URL http://lists.preshweb.co.uk/pipermail/dancer-users/2015-June/004621.html