openlitespeed icon indicating copy to clipboard operation
openlitespeed copied to clipboard
verified publisher icon litespeedtech

Requesting security contact

Open Skad0sh opened this issue 1 year ago • 15 comments

we have identified a serious security issue in OpenLiteSpeed stable version. Please let us know how we can properly disclose the issue.

Skad0sh avatar Mar 05 '24 05:03 Skad0sh

Seems like it would be good to setup:

https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

timnolte avatar Mar 05 '24 19:03 timnolte

You can send email to bug litespeedtech com .

litespeedtech avatar Mar 05 '24 20:03 litespeedtech

We have send a mail with the complete PoC attached @litespeedtech

Skad0sh avatar Mar 06 '24 06:03 Skad0sh

we haven't recieved any replies on mail yet @litespeedtech

Skad0sh avatar Mar 12 '24 05:03 Skad0sh

We replied the email through our ticket system on Friday 8th March, please check your email spam folder.

Please try the latest 1.8.0 debug build see if the vulnerability has been fixed or not. /usr/local/lsws/admin/misc/lsup.sh -b -e 1.8.0

litespeedtech avatar Mar 12 '24 15:03 litespeedtech

Can you confirm ? I can't find it as a reply to my mail , its not in the spam too.

Skad0sh avatar Mar 12 '24 16:03 Skad0sh

We have replied to your Ticket mail.

Skad0sh avatar Mar 13 '24 05:03 Skad0sh

The bug still exists in the current release. Please check our reply to your mail ticket bug[@]litespeedtech[.]com Ticket ID: 293496 @litespeedtech

Skad0sh avatar Mar 15 '24 05:03 Skad0sh

Thanks. We will have it fixed in a different way then.

litespeedtech avatar Mar 15 '24 15:03 litespeedtech

The current fix seems to solve the issue , please assign a CVE to credit the researchers from the first report we send.

Skad0sh avatar Mar 18 '24 05:03 Skad0sh

I think this bug is already patched , any update regarding the CVE ? @litespeedtech

Skad0sh avatar Mar 23 '24 13:03 Skad0sh

Curious to hear what this issue is. I wonder if it overlaps with any of the request smuggling issues I noticed a few months ago that have remained unfixed. See the README here for a list of these issues: https://github.com/narfindustries/http-garden

Send me mail (address at bottom of page on my website) if you know the answer to this.

kenballus avatar Apr 09 '24 02:04 kenballus

Hey this issue has not been assigned a CVE as of now , can you guys fast forward this if anything is blocking from your side? there is a reserved CVE ID for this. Also a security advisory would help @litespeedtech

Skad0sh avatar May 17 '24 08:05 Skad0sh

@litespeedtech Iam facing Delay in publishing CVE anything is blocking from your side?

sayoojbkumar avatar May 18 '24 09:05 sayoojbkumar

You guys can go ahead with publishing CVE, we will follow up once it is out.

litespeedtech avatar May 22 '24 13:05 litespeedtech