Here is more information on the null byte issue, as reported by NCC Group:
The “static” plug, used to serve assets in Plug-based web frameworks, serves two primary functions: locating the requested file, and setting the response content type. The asset content type is set dynamically, using the
Mime.from_path function. For example, a request for the file “images/phoenix.png” will result in a content type of “image/png.” However, if the request is updated to “images/phoenix.png%00.html,” the resulting content type will be set to “text/html.”
Some have mentioned the vulnerability could cause a “access control” issue, causing one user to see files permitted by other users, however I don’t believe that to be possible because:
Plug.Static doesn’t provide any control access. All files are available to all users
If you are implementing control access by plugging Plug.Static on an authenticated route, it is most likely that you are doing authentication based on the path prefix rather than the path suffix and any “weird character”, such as a null byte, would make authentication fail
However, it is important to mention that this vulnerability may affect you even if you don’t use null byte. A bug report has been filled on Erlang/OTP issues tracker.
I will provide more information about the other vulnerability soon.