Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 259007 - www-servers/lighttpd-1.4.20: possible security issue with example mod_cgi.conf/lighttpd.conf
Summary: www-servers/lighttpd-1.4.20: possible security issue with example mod_cgi.con...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Christian Hoffmann (RETIRED)
Depends on:
Blocks: 260174
  Show dependency tree
Reported: 2009-02-14 21:05 UTC by Sven Gebhardt
Modified: 2009-05-12 09:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

move includes to bottom (bug-259007.diff,867 bytes, patch)
2009-04-10 10:32 UTC, Thilo Bangert (RETIRED) (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Gebhardt 2009-02-14 21:05:18 UTC
The lighttpd ebuild installs certain example config files (lighttpd.conf, mod_cgi.conf, mod_fastcgi.conf) which can end up in overwritten variables which will eventually allow directory listings on /cgi-bin/ directorys.

In the lighttpd.conf, you have the following in the top third of the file:
  # uncomment for cgi support
  #include "mod_cgi.conf"

After those includes, the basic server settings follow. Those server settings include the option to generally allow directory listings:
  # {{{ mod_dirlisting
  # enable directory listings
  #   dir-listing.activate      = "enable"

Within the file "mod_cgi.conf", directory listings are disabled for /cgi-bin/ directorys:
  # disable directory listings
  dir-listing.activate = "disable"

Given that an user generally allows directory listings by uncommenting the provided line, lighttpd overrides the previous denying of directory listings in  certain conditions. The user would end up with directory listings in his /cgi-bin/s, which may result in security issues.

A possible and simple fix would be moving the includes section to the end of lighttpd.conf.

Reproducible: Always

Steps to Reproduce:
1. Be dumb or lazy enough to use provided default config files.
2. Be dumb or lazy enough to use provided configuration options in a combination nobody ever thought of.
3. Restart lighttpd. You now have a cgi-bin, and everyone else knows that too.

Actual Results:  
A directory listing in /cgi-bin/.

Expected Results:  
404 - Not Found
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2009-02-15 16:33:00 UTC
I'd not consider this to be a security bug. Firstly, there is no exposure of *secret* information in this case -- it's more or less a case of security by obscurity, which should never be the only security measure.
And secondly, it's not even a default configuration, it may only be seen as a suggestion to the user to do that.

I guess we will change it in the next revision nevertheless, but I'd rather not handle it as a security bug, unless the rest of the team(s) (security and web-apps) has any objections.
Comment 2 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2009-04-04 17:31:17 UTC
hoffie: in what way did you want to 'fix' this?

security: could you give an evaluation of the severity. i do agree with hoffie.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-09 23:24:29 UTC
I've also the opinion that it's not worth being handled as a security bug.
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2009-04-10 10:10:32 UTC
Moving the basic dir-listing setup to the top of the file would probably be the easiest and smartest solution.
Comment 5 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2009-04-10 10:32:18 UTC
Created attachment 187867 [details, diff]
move includes to bottom

how about moving the includes to the bottom? seems weird to first configure the mod_dirlisting settings and then the general server settings...
Comment 6 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2009-04-10 10:32:53 UTC
security: thanks for your input.
Comment 7 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2009-05-12 09:54:31 UTC
fixed in cvs. thanks for the report