Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 239552

Summary: <=www-servers/lighttpd-1.4.20 access restrictions bypass (CVE-2008-4359)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: www-servers+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-04 15:40:05 UTC 
CVE-2008-4359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4359):
  lighttpd before 1.4.20 compares URIs to patterns in the (1)
  url.redirect and (2) url.rewrite configuration settings before
  performing URL decoding, which might allow remote attackers to bypass
  intended access restrictions, and obtain sensitive information or
  possibly modify data.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-04 15:45:44 UTC 
Didn't see the CVE in 238180 first, sorry.

*** This bug has been marked as a duplicate of bug 238180 ***