FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-4359

This CVE name corresponds to:

Entered Topic
2008-09-27 lighttpd -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2008-4359 at cve.mitre.org

Details

Type Candidate
Name CVE-2008-4359
Phase Assigned(20080930)

Description

lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.

References

Source Reference
BUGTRAQ 20081030 rPSA-2008-0309-1 lighttpd
MLIST [oss-security] 20080930 Re: CVE request: lighttpd issues
MLIST [oss-security] 20080930 Re: CVE request: lighttpd issues
MLIST [oss-security] 20080930 Re: Re: CVE request: lighttpd issues
CONFIRM http://trac.lighttpd.net/trac/changeset/2278
CONFIRM http://trac.lighttpd.net/trac/changeset/2307
CONFIRM http://trac.lighttpd.net/trac/changeset/2309
CONFIRM http://trac.lighttpd.net/trac/changeset/2310
CONFIRM http://trac.lighttpd.net/trac/ticket/1720
CONFIRM http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
CONFIRM http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
CONFIRM http://wiki.rpath.com/Advisories:rPSA-2008-0309
CONFIRM http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
DEBIAN DSA-1645
GENTOO GLSA-200812-04
SUSE SUSE-SR:2008:026
BID 31599
VUPEN ADV-2008-2741
SECUNIA 32132
SECUNIA 32069
SECUNIA 32834
SECUNIA 32972
SECUNIA 32480
XF lighttpd-urlredirect-rewrite-info-disclosure(45690)

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.