p5-Dancer -- possible to abuse session cookie values

2015-06-12T00:00:00
ID 968D1E74-1740-11E5-A643-40A8F0757FB4
Type freebsd
Reporter FreeBSD
Modified 2015-06-12T00:00:00

Description

Russell Jenkins reports:

It was possible to abuse session cookie values so that file-based session stores such as Dancer::Session::YAML or Dancer2::Session::YAML would attempt to read/write from any file on the filesystem with the same extension the file-based store uses, such as '*.yml' for the YAML stores.