Invalid input to route validation rules

Module: call

Published: July 5th, 2016

Reported by: Nicolas Morel

CVE-NONE

CWE-20

Vulnerable: >= 2.0.1 <3.0.2
Patched: >=3.0.2

Overview

Affected versions of call do not validate empty parameters, which may result in a bypass of route validation rules.

Proof of Concept

Routing Scheme:

/api/{param}/{param2}/details

Triggering Request Path:

/api///

Remediation

Update to version 3.0.2 or later.

References

Issue #3228