FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-4360

This CVE name corresponds to:

Entered Topic
2008-09-27 lighttpd -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2008-4360 at cve.mitre.org

Details

Type Candidate
Name CVE-2008-4360
Phase Assigned(20080930)

Description

mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.

References

Source Reference
BUGTRAQ 20081030 rPSA-2008-0309-1 lighttpd
MLIST [oss-security] 20080930 Re: CVE request: lighttpd issues
MLIST [oss-security] 20080930 Re: CVE request: lighttpd issues
MLIST [oss-security] 20080930 Re: Re: CVE request: lighttpd issues
CONFIRM http://trac.lighttpd.net/trac/changeset/2283
CONFIRM http://trac.lighttpd.net/trac/changeset/2308
CONFIRM http://trac.lighttpd.net/trac/ticket/1589
CONFIRM http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch
CONFIRM http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
CONFIRM http://wiki.rpath.com/Advisories:rPSA-2008-0309
CONFIRM http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
DEBIAN DSA-1645
GENTOO GLSA-200812-04
SUSE SUSE-SR:2008:026
BID 31600
VUPEN ADV-2008-2741
SECUNIA 32132
SECUNIA 32069
SECUNIA 32834
SECUNIA 32972
SECUNIA 32480
XF lighttpd-moduserdir-info-disclosure(45689)

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.