Closed Skad0sh closed 2 weeks ago
You can send email to bug
We have send a mail with the complete PoC attached @litespeedtech
we haven't recieved any replies on mail yet @litespeedtech
We replied the email through our ticket system on Friday 8th March, please check your email spam folder.
Please try the latest 1.8.0 debug build see if the vulnerability has been fixed or not. /usr/local/lsws/admin/misc/lsup.sh -b -e 1.8.0
Can you confirm ? I can't find it as a reply to my mail , its not in the spam too.
We have replied to your Ticket mail.
The bug still exists in the current release. Please check our reply to your mail ticket bug[@]litespeedtech[.]com Ticket ID: 293496 @litespeedtech
Thanks. We will have it fixed in a different way then.
The current fix seems to solve the issue , please assign a CVE to credit the researchers from the first report we send.
I think this bug is already patched , any update regarding the CVE ? @litespeedtech
Curious to hear what this issue is. I wonder if it overlaps with any of the request smuggling issues I noticed a few months ago that have remained unfixed. See the README here for a list of these issues: https://github.com/narfindustries/http-garden
Send me mail (address at bottom of page on my website) if you know the answer to this.
Hey this issue has not been assigned a CVE as of now , can you guys fast forward this if anything is blocking from your side? there is a reserved CVE ID for this. Also a security advisory would help @litespeedtech
@litespeedtech Iam facing Delay in publishing CVE anything is blocking from your side?
You guys can go ahead with publishing CVE, we will follow up once it is out.
we have identified a serious security issue in OpenLiteSpeed stable version. Please let us know how we can properly disclose the issue.