The lighttpd ebuild installs certain example config files (lighttpd.conf, mod_cgi.conf, mod_fastcgi.conf) which can end up in overwritten variables which will eventually allow directory listings on /cgi-bin/ directorys. In the lighttpd.conf, you have the following in the top third of the file: # uncomment for cgi support #include "mod_cgi.conf" After those includes, the basic server settings follow. Those server settings include the option to generally allow directory listings: # {{{ mod_dirlisting # enable directory listings # dir-listing.activate = "enable" Within the file "mod_cgi.conf", directory listings are disabled for /cgi-bin/ directorys: # disable directory listings dir-listing.activate = "disable" Given that an user generally allows directory listings by uncommenting the provided line, lighttpd overrides the previous denying of directory listings in certain conditions. The user would end up with directory listings in his /cgi-bin/s, which may result in security issues. A possible and simple fix would be moving the includes section to the end of lighttpd.conf. Reproducible: Always Steps to Reproduce: 1. Be dumb or lazy enough to use provided default config files. 2. Be dumb or lazy enough to use provided configuration options in a combination nobody ever thought of. 3. Restart lighttpd. You now have a cgi-bin, and everyone else knows that too. Actual Results: A directory listing in /cgi-bin/. Expected Results: 404 - Not Found
I'd not consider this to be a security bug. Firstly, there is no exposure of *secret* information in this case -- it's more or less a case of security by obscurity, which should never be the only security measure. And secondly, it's not even a default configuration, it may only be seen as a suggestion to the user to do that. I guess we will change it in the next revision nevertheless, but I'd rather not handle it as a security bug, unless the rest of the team(s) (security and web-apps) has any objections.
hoffie: in what way did you want to 'fix' this? security: could you give an evaluation of the severity. i do agree with hoffie.
I've also the opinion that it's not worth being handled as a security bug.
Moving the basic dir-listing setup to the top of the file would probably be the easiest and smartest solution.
Created attachment 187867 [details, diff] move includes to bottom how about moving the includes to the bottom? seems weird to first configure the mod_dirlisting settings and then the general server settings...
security: thanks for your input.
fixed in cvs. thanks for the report
