| Name | CVE-2009-0843 |
| Description | The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to determine the existence of arbitrary files via a full pathname in the queryfile parameter, which triggers different error messages depending on whether this pathname exists. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-1914-1 |
| Debian Bugs | 523027 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| mapserver (PTS) | buster | 7.2.2-1 | fixed |
| bullseye | 7.6.2-1 | fixed |
| bookworm | 8.0.0-3 | fixed |
| trixie | 8.0.1-2 | fixed |
| sid | 8.0.1-4 | fixed |
The information below is based on the following data on fixed versions.
Notes
this can only probe for files that are not present, useless when not
in combination with another attack