CVE-2013-1939: SabreDAV Directory Traversal vulnerability
N/A
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
sabre/dav | composer | >= 1.7.0, < 1.7.7 | 1.7.7 |
sabre/dav | composer | >= 1.8.0, < 1.8.5 | 1.8.5 |
sabre/dav | composer | >= 1.6.0, < 1.6.9 | 1.6.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper path separator handling in the HTML/Browser plugin on Windows. The serveAsset method is the primary function responsible for serving files through the web interface in SabreDAV's Browser plugin. Since the advisory specifically mentions improper checking of path separators in the base path, this function would be responsible for validating and serving requested assets. The lack of backslash normalization would allow path traversal via Windows-style separators. The confidence is high because: 1) The vulnerability is explicitly tied to the Browser plugin 2) serveAsset is the core file-serving mechanism 3) Path traversal vulnerabilities in web interfaces typically originate from request handling functions like this.