CVE-2010-2253

Name of the Vulnerable Software and Affected Versions libwww-perl versions prior to 5.835

Description The issue allows remote servers to create or overwrite files through a 3xx redirect to a URL with a crafted filename or a Content-Disposition header that suggests a crafted filename. This can possibly lead to the execution of arbitrary code as a consequence of writing to a dotfile in a home directory. The problem arises because the software does not reject downloads to filenames that begin with a . (dot) character.

Recommendations For versions prior to 5.835, update to version 5.835 or later to resolve the issue. As a temporary workaround, consider restricting the use of the lwp-download function to minimize the risk of exploitation. Avoid using the lwp-download function with untrusted URLs or servers until the issue is resolved.