Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-4360

Overview

Vulnerability Score 7.8 7.8
CVE Id CVE-2008-4360
Last Modified 07 Mar 2011 10:12:19
Published 03 Oct 2008 01:41:40
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-4360

Summary

mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.

Vulnerable Systems

Application

  • Lighttpd

  • Lighttpd 1.0.2

  • Lighttpd 1.0.3

  • Lighttpd 1.1.0

  • Lighttpd 1.1.1

  • Lighttpd 1.1.2

  • Lighttpd 1.1.3

  • Lighttpd 1.1.4

  • Lighttpd 1.1.5

  • Lighttpd 1.1.6

  • Lighttpd 1.1.7

  • Lighttpd 1.1.8

  • Lighttpd 1.1.9

  • Lighttpd 1.2.0

  • Lighttpd 1.2.1

  • Lighttpd 1.2.2

  • Lighttpd 1.2.3

  • Lighttpd 1.2.4

  • Lighttpd 1.2.5

  • Lighttpd 1.2.6

  • Lighttpd 1.2.7

  • Lighttpd 1.2.8

  • Lighttpd 1.3.0

  • Lighttpd 1.3.1

  • Lighttpd 1.3.10

  • Lighttpd 1.3.11

  • Lighttpd 1.3.12

  • Lighttpd 1.3.13

  • Lighttpd 1.3.14

  • Lighttpd 1.3.15

  • Lighttpd 1.3.16

  • Lighttpd 1.3.2

  • Lighttpd 1.3.3

  • Lighttpd 1.3.4

  • Lighttpd 1.3.5

  • Lighttpd 1.3.6

  • Lighttpd 1.3.7

  • Lighttpd 1.3.8

  • Lighttpd 1.3.9

  • Lighttpd 1.4.0

  • Lighttpd 1.4.1

  • Lighttpd 1.4.10

  • Lighttpd 1.4.11

  • Lighttpd 1.4.12

  • Lighttpd 1.4.13

  • Lighttpd 1.4.14

  • Lighttpd 1.4.15

  • Lighttpd 1.4.16

  • Lighttpd 1.4.17

  • Lighttpd 1.4.18

  • Lighttpd 1.4.19


References

CONFIRM - http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt

CONFIRM - http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch

CONFIRM - http://trac.lighttpd.net/trac/ticket/1589

XF - lighttpd-moduserdir-info-disclosure(45689)

VUPEN - ADV-2008-2741

BID - 31600

BUGTRAQ - 20081030 rPSA-2008-0309-1 lighttpd

DEBIAN - DSA-1645

CONFIRM - http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309

CONFIRM - http://wiki.rpath.com/Advisories:rPSA-2008-0309

CONFIRM - http://trac.lighttpd.net/trac/changeset/2308

CONFIRM - http://trac.lighttpd.net/trac/changeset/2283

GENTOO - GLSA-200812-04

SECUNIA - 32972

SECUNIA - 32834

SECUNIA - 32480

SECUNIA - 32132

SECUNIA - 32069

MLIST - [oss-security] 20080930 Re: Re: CVE request: lighttpd issues

MLIST - [oss-security] 20080930 Re: CVE request: lighttpd issues

SUSE - SUSE-SR:2008:026


Last Updated: 27 May 2016 10:48:28