239552 – <=www-servers/lighttpd-1.4.20 access restrictions bypass (CVE-2008-4359)

Bug 239552 - <=www-servers/lighttpd-1.4.20 access restrictions bypass (CVE-2008-4359)

Summary: <=www-servers/lighttpd-1.4.20 access restrictions bypass (CVE-2008-4359)

Status:	RESOLVED DUPLICATE of bug 238180

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-10-04 15:40 UTC by Stefan Behte (RETIRED)
Modified:	2008-10-04 15:45 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2008-10-04 15:40:05 UTC

CVE-2008-4359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4359):
  lighttpd before 1.4.20 compares URIs to patterns in the (1)
  url.redirect and (2) url.rewrite configuration settings before
  performing URL decoding, which might allow remote attackers to bypass
  intended access restrictions, and obtain sensitive information or
  possibly modify data.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2008-10-04 15:45:44 UTC

Didn't see the CVE in 238180 first, sorry.

*** This bug has been marked as a duplicate of bug 238180 ***