CVE-2008-4359 Information
Share on:Description
lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding which might allow remote attackers to bypass intended access restrictions and obtain sensitive information or possibly modify data.
Reference
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html http://openwall.com/lists/oss-security/2008/09/30/1 http://openwall.com/lists/oss-security/2008/09/30/2 http://openwall.com/lists/oss-security/2008/09/30/3 http://secunia.com/advisories/32069 http://secunia.com/advisories/32132 http://secunia.com/advisories/32480 http://secunia.com/advisories/32834 http://secunia.com/advisories/32972 http://security.gentoo.org/glsa/glsa-200812-04.xml http://trac.lighttpd.net/trac/changeset/2278 http://trac.lighttpd.net/trac/changeset/2307 http://trac.lighttpd.net/trac/changeset/2309 http://trac.lighttpd.net/trac/changeset/2310 http://trac.lighttpd.net/trac/ticket/1720 http://wiki.rpath.com/Advisories:rPSA-2008-0309 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309 http://www.debian.org/security/2008/dsa-1645 http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch http://www.securityfocus.com/archive/1/497932/100/0/threaded http://www.securityfocus.com/bid/31599 http://www.vupen.com/english/advisories/2008/2741 https://exchange.xforce.ibmcloud.com/vulnerabilities/45690 lighttpd-urlredirect-rewrite-info-disclosure(45690) lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding which might allow remote attackers to bypass intended access restrictions and obtain sensitive information or possibly modify data.