Prosody security advisory 2016/01/08 - 1

CVE-2016-1231

Affected versions:

0.9.x (before 0.9.9), 0.10 (unreleased)

Affected Prosody modules:

mod_http_files (and community modules that depend on it)

Fixed versions:

0.9.9, 0.10 nightly build 196, trunk nightly build 608

Description

A flaw was found in Prosody's HTTP file-serving module (mod_http_files) that allows it to serve requests outside of the configured public root directory. This could allow attackers access to private files including sensitive data.

Affected configurations

The default configuration has mod_http_files disabled, and is not vulnerable. Additionally, configurations where mod_http_files serves files at the root URL (e.g. not /files/ prefix, using http_paths) are not vulnerable.

Temporary mitigation

Disable mod_http_files and any community modules that depend on it.

Advice

All users should upgrade to 0.9.9, or check their OS distribution for security updates. Users of development branches (0.10, trunk) should upgrade to the latest nightly builds.

Credits

The flaw was discovered by Kim Alvefur, a member of the Prosody team.