Your submission was sent successfully! Close

CVE-2009-0843

Published: 31 March 2009

The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to determine the existence of arbitrary files via a full pathname in the queryfile parameter, which triggers different error messages depending on whether this pathname exists.

Priority

Negligible

Status

Package Release Status
mapserver
Launchpad, Ubuntu, Debian
Upstream Needs triage

Notes

AuthorNote
jdstrand
this can only probe for files that are not present, useless when not
in combination with another attack

References