Source Code Disclosure in Yaws Webserver

SEC-CONSULT Security Advisory < 20050616-0 >


title: Source Code Disclosure in Yaws Webserver

program: Yaws Webserver

vulnerable version: 1.55 and earlier


found: 2005-06-01

by: M. Eiszner / SEC-CONSULT /



vendor description:



Yaws is a HTTP high perfomance 1.1 webserver. Two separate modes of

operations are supported:

* Standalone mode where Yaws runs as a regular webserver daemon.

This is the default mode.

* Embedded mode where Yaws runs as an embedded webserver in another

erlang application.


Yaws is entirely written in Erlang furthermore it is a multithreaded

webserver where one Erlang light weight process is used to handle each




vulnerabilty overview:



If a null byte is appended to the filename of a yaws script (.yaws), the

yaws webserver returns a page containing the source code of the

according script. This flaw allows a malicious attacker to analyse the

source code of the entire web application, which might result in the

attacker gaining sensitiv information like passwords.



proof of concept:



The yaws homepage itself was vulnerable to the attack. Opening the link in a browser resulted in the

display of the following code (only the first couple of lines...):

--- code ---

box(Str) ->
     {pre, [], yaws_api:htmlize(Str)}}.

tbox(T) ->

--- /code ---



vulnerable versions:



It seems that version 1.55 as well as all prior versions are vulnerable

to the attack described above.



vendor status:


vendor notified: 2005-06-16

vendor response: 2005-06-16

patch available: 2005-06-16


Vendor was extremly fast to response and post a fix. This is what

vendor vulnerability management should be like!


Download Patch from:



SEC Consult Unternehmensberatung GmbH


Office Vienna

Blindengasse 3

A-1080 Wien



Tel.: +43 / 1 / 409 0307 - 570

Fax.: +43 / 1 / 409 0307 - 590

Mail: office at sec-consult dot com


EOF Daniel Fabian / @2005

d.fabian at sec-consult dot com