There recently was a bugfix for a vulnerability of the appserver's web request/response interface.

This vulnerability was present in versions prior to 1.0.3 and was exposed by the bundled webserver's HTTP parsing library. The URI as coming from a web client was not normalized correctly which allowed for traversal movement through the file system of the host without the restriction of the configured document root. This allowed for access of otherwise inaccessible files trough specially crafted HTTP requests.

We STRONGLY advise everyone to update to version 1.0.3 or higher.

You might alternatively update the appserver-io/http composer package to version 1.1.1.

Next Post Previous Post

Load Comments

Please note that by clicking "Load Comments", your browser will establish a connection with servers from Disqus.
For more information, please visit our privacy statement.