Requesting security contact - Githubissues

litespeedtech / openlitespeed

Our high-performance, lightweight, open source HTTP server

https://openlitespeed.org

GNU General Public License v3.0

1.16k stars 189 forks source link

Requesting security contact #380

Closed Skad0sh closed 2 weeks ago

Skad0sh commented 7 months ago

we have identified a serious security issue in OpenLiteSpeed stable version. Please let us know how we can properly disclose the issue.

timnolte commented 7 months ago

Seems like it would be good to setup:

https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

litespeedtech commented 7 months ago

You can send email to bug litespeedtech com .

Skad0sh commented 7 months ago

We have send a mail with the complete PoC attached @litespeedtech

Skad0sh commented 6 months ago

we haven't recieved any replies on mail yet @litespeedtech

litespeedtech commented 6 months ago

We replied the email through our ticket system on Friday 8th March, please check your email spam folder.

Please try the latest 1.8.0 debug build see if the vulnerability has been fixed or not. /usr/local/lsws/admin/misc/lsup.sh -b -e 1.8.0

Skad0sh commented 6 months ago

Can you confirm ? I can't find it as a reply to my mail , its not in the spam too.

Skad0sh commented 6 months ago

We have replied to your Ticket mail.

Skad0sh commented 6 months ago

The bug still exists in the current release. Please check our reply to your mail ticket bug[@]litespeedtech[.]com Ticket ID: 293496 @litespeedtech

litespeedtech commented 6 months ago

Thanks. We will have it fixed in a different way then.

Skad0sh commented 6 months ago

The current fix seems to solve the issue , please assign a CVE to credit the researchers from the first report we send.

Skad0sh commented 6 months ago

I think this bug is already patched , any update regarding the CVE ? @litespeedtech

kenballus commented 5 months ago

Curious to hear what this issue is. I wonder if it overlaps with any of the request smuggling issues I noticed a few months ago that have remained unfixed. See the README here for a list of these issues: https://github.com/narfindustries/http-garden

Send me mail (address at bottom of page on my website) if you know the answer to this.

Skad0sh commented 4 months ago

Hey this issue has not been assigned a CVE as of now , can you guys fast forward this if anything is blocking from your side? there is a reserved CVE ID for this. Also a security advisory would help @litespeedtech

sayoojbkumar commented 4 months ago

@litespeedtech Iam facing Delay in publishing CVE anything is blocking from your side?

litespeedtech commented 4 months ago

You guys can go ahead with publishing CVE, we will follow up once it is out.