Requesting security contact about openlitespeed HOT 17 OPEN

Seems like it would be good to setup:

https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

from openlitespeed.

You can send email to bug litespeedtech com .

from openlitespeed.

We have send a mail with the complete PoC attached @litespeedtech

from openlitespeed.

we haven't recieved any replies on mail yet @litespeedtech

from openlitespeed.

We replied the email through our ticket system on Friday 8th March, please check your email spam folder.

Please try the latest 1.8.0 debug build see if the vulnerability has been fixed or not.
/usr/local/lsws/admin/misc/lsup.sh -b -e 1.8.0

from openlitespeed.

Can you confirm ? I can't find it as a reply to my mail , its not in the spam too.

from openlitespeed.

We have replied to your Ticket mail.

from openlitespeed.

The bug still exists in the current release. Please check our reply to your mail ticket bug[@]litespeedtech[.]com
Ticket ID: 293496 @litespeedtech

from openlitespeed.

Thanks. We will have it fixed in a different way then.

from openlitespeed.

The current fix seems to solve the issue , please assign a CVE to credit the researchers from the first report we send.

from openlitespeed.

I think this bug is already patched , any update regarding the CVE ? @litespeedtech

from openlitespeed.

Curious to hear what this issue is. I wonder if it overlaps with any of the request smuggling issues I noticed a few months ago that have remained unfixed. See the README here for a list of these issues: https://github.com/narfindustries/http-garden

Send me mail (address at bottom of page on my website) if you know the answer to this.

from openlitespeed.