Embedthis has patched a null byte injection vulnerability in GoAhead, the embedded web server deployed in hundreds of millions of devices. “A specially crafted URL with a %00 character embedded before the extension can cause an incorrect file with a truncated filename to be served,” reads a security advisory on GitHub documenting the bug. Citing hypothetical URL https://example.com/example%00.html, the advisory says “the %00 is decoded to be a NULL”, resulting in the file handler serving ‘example’ instead of ‘example.html’. As a result, “remote attackers could gain access to documents with names that are strict subsets of longer valid URLs.” The advisory nevertheless describes the bug’s severity as ‘low’ since “an exploit requires [either] an additional vulnerability via uploaded malicious files” or a device that has misconfigured file uploads to be permitted “to a directory that also serves content”. CSP bypass leading to XSS The flaw was discovered by Luke Rindels, an inf...
🎠"If you want to keep a secret, you must also hide it from yourself"ðŸŽ