CVE-2009-0841
Directory traversal vulnerability in mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2, when running on Windows with Cygwin, allows remote attackers to create arbitrary files via a .. (dot dot) in the id parameter.
| Software | From | Fixed in |
|---|---|---|
| umn / mapserver | 4.0 | 4.0.x |
| umn / mapserver | 4.0-beta1 | 4.0-beta1.x |
| umn / mapserver | 4.0-beta2 | 4.0-beta2.x |
| osgeo / mapserver | 4.2.0-beta1 | 4.2.0-beta1.x |
| osgeo / mapserver | 4.4.0-beta1 | 4.4.0-beta1.x |
| osgeo / mapserver | 4.4.0-beta2 | 4.4.0-beta2.x |
| osgeo / mapserver | 4.6.0-beta1 | 4.6.0-beta1.x |
| osgeo / mapserver | 4.6.0-beta2 | 4.6.0-beta2.x |
| osgeo / mapserver | 4.6.0-beta3 | 4.6.0-beta3.x |
| osgeo / mapserver | 4.8.0-beta2 | 4.8.0-beta2.x |
| osgeo / mapserver | 4.8.0-beta1 | 4.8.0-beta1.x |
| osgeo / mapserver | 4.8.0-beta3 | 4.8.0-beta3.x |
| osgeo / mapserver | 4.8.0-rc2 | 4.8.0-rc2.x |
| osgeo / mapserver | 4.8.0-rc1 | 4.8.0-rc1.x |
| osgeo / mapserver | 4.10.0 | 4.10.0.x |
| osgeo / mapserver | 4.10.0-beta1 | 4.10.0-beta1.x |
| osgeo / mapserver | 4.10.0-rc1 | 4.10.0-rc1.x |
| osgeo / mapserver | 4.10.0-beta3 | 4.10.0-beta3.x |
| osgeo / mapserver | 4.10.0-beta2 | 4.10.0-beta2.x |
| osgeo / mapserver | 4.10.2 | 4.10.2.x |
| osgeo / mapserver | 4.10.1 | 4.10.1.x |
| osgeo / mapserver | 4.10.3 | 4.10.3.x |
| osgeo / mapserver | 5.0.0-beta5 | 5.0.0-beta5.x |
| osgeo / mapserver | 5.0.0-beta6 | 5.0.0-beta6.x |
| osgeo / mapserver | 5.0.0-beta3 | 5.0.0-beta3.x |
| osgeo / mapserver | 5.0.0-beta4 | 5.0.0-beta4.x |
| osgeo / mapserver | 5.0.0-beta1 | 5.0.0-beta1.x |
| osgeo / mapserver | 5.0.0-beta2 | 5.0.0-beta2.x |
| osgeo / mapserver | 5.0.0-rc1 | 5.0.0-rc1.x |
| osgeo / mapserver | 5.2.0 | 5.2.0.x |
| osgeo / mapserver | 5.2.0-beta2 | 5.2.0-beta2.x |
| osgeo / mapserver | 5.2.0-beta1 | 5.2.0-beta1.x |
| osgeo / mapserver | 5.2.0-beta3 | 5.2.0-beta3.x |
| osgeo / mapserver | 5.2.0-beta4 | 5.2.0-beta4.x |
| osgeo / mapserver | 5.2.0-rc1 | 5.2.0-rc1.x |
| osgeo / mapserver | 5.2.1 | 5.2.1.x |
| osgeo / mapserver | 4.6.0 | 4.6.0.x |
| osgeo / mapserver | 4.6.0-rc1 | 4.6.0-rc1.x |
| osgeo / mapserver | 5.0.0-rc2 | 5.0.0-rc2.x |
| osgeo / mapserver | 5.0.0 | 5.0.0.x |
| osgeo / mapserver | 4.4.0 | 4.4.0.x |
| osgeo / mapserver | 4.4.0-beta3 | 4.4.0-beta3.x |
- http://lists.osgeo.org/pipermail/mapserver-users/2009-March/060600.html
- http://secunia.com/advisories/34520
- http://secunia.com/advisories/34603
- http://trac.osgeo.org/mapserver/ticket/2942
- http://www.debian.org/security/2009/dsa-1914
- http://www.positronsecurity.com/advisories/2009-000.html
- http://www.securityfocus.com/archive/1/502271/100/0/threaded
- http://www.securityfocus.com/bid/34306
- http://www.securitytracker.com/id?1021952
- https://exchange.xforce.ibmcloud.com/vulnerabilities/49548
- https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00147.html
- https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00170.html
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime