Bug 124834

Summary:	www-servers/lighttpd - remote information disclosure (CVE-2006-0814)
Product:	Gentoo Security	Reporter:	Carsten Lohrke (RETIRED) <carlo>
Component:	Auditing	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Carsten Lohrke (RETIRED) gentoo-dev

2006-03-03 10:56:42 UTC

1) Affected Software 

* Lighttpd version 1.4.10 for Windows.

Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Moderately Critical
Impact: Exposure of sensitive information
Where:  Remote

====================================================================== 
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in Lighttpd, which
can be exploited by malicious people to disclose potentially sensitive
information.

The vulnerability is caused due to a validation error of the filename
extension supplied by the user in the URL. This can be exploited to
retrieve the source code of script files (e.g. PHP) from the server
via specially-crafted requests containing dot and space characters.



http://secunia.com/secunia_research/2006-9/advisory/

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2006-03-03 13:20:15 UTC

Looks like a Windows specific thing or a dupe from bug 123022

Comment 2 Carsten Lohrke (RETIRED) gentoo-dev

2006-03-04 05:42:55 UTC

(In reply to comment #1)
> Looks like a Windows specific thing or a dupe from bug 123022
> 

Likely a dupe. I wanted to track it anyways, since the advisory is very unspecific and the CVE entry status is under review, so there's not much information available.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2006-03-04 07:50:23 UTC

http://www.lighttpd.net/news/ says it's a Windows-only issue.