CVE-2015-1164

Name of the Vulnerable Software and Affected Versions serve-static versions prior to 1.6.5 serve-static versions 1.7.x prior to 1.7.2

Description The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH INFO to the default URI. This can be achieved by exploiting the open redirect vulnerability when the serve-static plugin is mounted at the root. Some browsers will interpret a link to http://example.com//www.google.com/%2e%2e as http://www.google.com/%2e%2e, resulting in an external redirect.

Recommendations For versions prior to 1.6.5: Update to version 1.6.5 or later. For versions 1.7.x prior to 1.7.2: Update to version 1.7.2 or later.