FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

lighttpd -- multiple vulnerabilities

Affected packages
lighttpd < 1.4.19_3

Details

VuXML ID fb911e31-8ceb-11dd-bb29-000c6e274733
Discovery 2008-09-26
Entry 2008-09-27
Modified 2009-02-22

Lighttpd seurity annoucement:

lighttpd 1.4.19, and possibly other versions before 1.5.0, does not decode the url before matching against rewrite and redirect patterns, which allows attackers to bypass rewrites rules. this can be a security problem in certain configurations if these rules are used to hide certain urls.

[source]

lighttpd 1.4.19, and possibly other versions before 1.5.0, does not lowercase the filename after generating it from the url in mod_userdir on case insensitive (file)systems.

As other modules are case sensitive, this may lead to information disclosure; for example if one configured php to handle files ending on ".php", an attacker will get the php source with http://example.com/~user/file.PHP

[source]

lighttpd 1.4.19 does not always release a header if it triggered a 400 (Bad Request) due to a duplicate header.

[source]

References

Bugtraq ID 31434
CVE Name CVE-2008-4298
CVE Name CVE-2008-4359
CVE Name CVE-2008-4360
URL http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
URL http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
URL http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.