English. (En Español más abajo)
Today, during one of our analysis process, we detected a security flaw when Hiawatha Web Server’s AllowDotFiles configuration directive is activated. Directive description is quoted below from manual page:
AllowDotFiles = <yes|no>Allow files that start with a dot (hidden files for Unix) to be downloaded by a client. Requests for .hiawatha files are always blocked. A requests URI that start with /.well-known/ is always accepted, as defined in RFC 5785.
https://www.hiawatha-webserver.org/manpages/hiawatha
Default = no Example: AllowDotFiles = yes
We have already reported the details to the developer to promote a faster resolution to the case. The developer has sent us a fix, we have tested it and it solves the issue.
Hiawatha version 10.8.4 has been published with the fix. And we strongly encourage to upgrade to hiawatha 10.8.4 or later.
If you have hiawatha webserver 10.8.3 or lower consider upgrading otherwise do NOT activate the AllowDotFiles directive. Although the default value is no, it is always a good idea to include the following line in your config:
AllowDotFiles = no
Español. (In English Above)
Hoy, en uno de nuestros análisis hemos detectado una falla de seguridad al activar la directiva de configuración AllowDotFiles de Hiawatha Web Server, cuya descripción se cita de la página de manual:
AllowDotFiles = <yes|no>Allow files that start with a dot (hidden files for Unix) to be downloaded by a client. Requests for .hiawatha files are always blocked. A requests URI that start with /.well-known/ is always accepted, as defined in RFC 5785.
https://www.hiawatha-webserver.org/manpages/hiawatha
Default = no Example: AllowDotFiles = yes
Hemos reportado al desarrollador los detalles del caso para promover una pronta solución al caso, ya el desarrollador nos ha enviado un parche que hemos probado y funciona correctamente. La versión de hiawatha 10.8.4 ha sido publicada con el parche aplicado para solucionar este problema.
De usted continuar usando hiawatha 10.8.3 o inferior NO active la directiva AllowDotFiles. Aunque el valor por defecto es no, nunca está demás la precaución de incluir en su configuración la línea:
AllowDotFiles = no