Unrated severityNVD Advisory· Published Apr 29, 2011· Updated Apr 29, 2026
CVE-2011-1589
CVE-2011-1589
Description
Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.
Affected products
82cpe:2.3:a:mojolicious:mojolicious:0.2:*:*:*:*:*:*:*+ 81 more
- cpe:2.3:a:mojolicious:mojolicious:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.8006:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.8007:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.8008:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.8009:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.9001:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.9002:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991231:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991232:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991233:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991234:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991235:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991236:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991237:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991238:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991239:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991240:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991241:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991242:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991243:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991244:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991245:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991246:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991250:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.991251:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999901:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999902:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999903:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999904:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999905:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999906:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999907:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999908:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999909:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999910:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999911:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999912:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999913:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999914:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999920:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999921:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999922:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999923:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999924:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999925:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999926:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999927:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999928:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999929:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999930:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999931:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999932:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999933:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999934:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999935:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999936:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999937:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999938:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999939:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999940:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999941:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:0.999950:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:1.01:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:1.11:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:1.12:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:1.13:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:1.14:*:*:*:*:*:*:*
- cpe:2.3:a:mojolicious:mojolicious:1.15:*:*:*:*:*:*:*
Patches
1b09854988c5bfixed critical security issue that can expose files on your system and prepared emergency release
4 files changed · +25 −4
Changes+5 −1 modified@@ -1,6 +1,6 @@ This file documents the revision history for Perl extension Mojolicious. -1.16 2011-03-19 00:00:00 +1.17 2011-04-15 00:00:00 - Deprecated Mojolicious process method in favor of the on_process attribute. - Added Failraptor. @@ -29,6 +29,10 @@ This file documents the revision history for Perl extension Mojolicious. - Fixed small perldoc browser bug. (kberov) - Fixed cookbook recipe. (moritz) +1.16 2011-04-15 00:00:00 + - Emergency release for a critical security issue that can expose + files on your system, everybody should update! + 1.15 2011-03-18 00:00:00 - Changed default log level in "production" mode from "error" to "info".
lib/Mojolicious.pm+1 −1 modified@@ -42,7 +42,7 @@ has static => sub { Mojolicious::Static->new }; has types => sub { Mojolicious::Types->new }; our $CODENAME = 'Smiling Cat Face With Heart-Shaped Eyes'; -our $VERSION = '1.16'; +our $VERSION = '1.17'; # "These old doomsday devices are dangerously unstable. # I'll rest easier not knowing where they are."
lib/Mojo/Path.pm+3 −1 modified@@ -80,6 +80,9 @@ sub parse { $path =~ /^\// ? $self->leading_slash(1) : $self->leading_slash(0); $path =~ /\/$/ ? $self->trailing_slash(1) : $self->trailing_slash(0); + # Unescape + url_unescape $path; + # Parse my @parts; for my $part (split '/', $path) { @@ -91,7 +94,6 @@ sub parse { $part = '' unless defined $part; # Store - url_unescape $part; push @parts, $part; }
t/mojo/path.t+16 −1 modified@@ -3,7 +3,7 @@ use strict; use warnings; -use Test::More tests => 3; +use Test::More tests => 11; # "This is the greatest case of false advertising I’ve seen since I sued the # movie 'The Never Ending Story.'" @@ -12,3 +12,18 @@ use_ok 'Mojo::Path'; my $path = Mojo::Path->new; is $path->parse('/path')->to_string, '/path', 'right path'; is $path->parse('/path/0')->to_string, '/path/0', 'right path'; + +# Canonicalizing +$path = Mojo::Path->new( + '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'); +is "$path", '/../../../../../../../../../../etc/passwd', 'rigth result'; +is $path->parts->[0], '..', 'right part'; +is $path->canonicalize, '/../../../../../../../../../../etc/passwd', + 'rigth result'; +is $path->parts->[0], '..', 'right part'; +$path = Mojo::Path->new( + '/%2ftest%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'); +is "$path", '/test/../../../../../../../../../etc/passwd', 'rigth result'; +is $path->parts->[0], 'test', 'right part'; +is $path->canonicalize, '/../../../../../../../../etc/passwd', 'rigth result'; +is $path->parts->[0], '..', 'right part';
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
20- search.cpan.org/CPAN/authors/id/K/KR/KRAIH/Mojolicious-1.16.tar.gznvdPatch
- github.com/kraih/mojo/commit/b09854988c5b5b6a2ba53cc8661c4b2677da3818nvdPatch
- bugs.debian.org/cgi-bin/bugreport.cginvdExploit
- openwall.com/lists/oss-security/2011/04/17/1nvdExploitPatch
- openwall.com/lists/oss-security/2011/04/18/3nvdExploitPatch
- openwall.com/lists/oss-security/2011/04/18/7nvdExploit
- www.osvdb.org/71850nvdExploit
- bugzilla.redhat.com/show_bug.cginvdExploitPatch
- github.com/kraih/mojo/issues/114nvdExploit
- secunia.com/advisories/44051nvdVendor Advisory
- cpansearch.perl.org/src/KRAIH/Mojolicious-1.16/Changesnvd
- lists.fedoraproject.org/pipermail/package-announce/2011-April/058885.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2011-April/058891.htmlnvd
- perlninja.posterous.com/sharks-in-the-waternvd
- secunia.com/advisories/44359nvd
- www.debian.org/security/2011/dsa-2221nvd
- www.securityfocus.com/bid/47402nvd
- www.vupen.com/english/advisories/2011/1072nvd
- www.vupen.com/english/advisories/2011/1093nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/66830nvd
News mentions
0No linked articles in our index yet.