SECURITY
In lighttpd 1.3.7 and below it is possible to fetch the source files
which should be handled by CGI or FastCGI applications.
- How to reproduce:
append a %00 to the filename:
http://www.example.org/index.php%00
- Description
Control-Sequences are not mapped out in buffer_urldecode() in buffer.c
which leeds to a sequence in the filename while lighttpd ignores
is handles the %00 as part of the filename.
- Fix
- upgrade to the latest version 1.3.10
or
- apply the fixes referenced at http://wiki.lighttpd.net/7.html#A12
- affected versions
1.3.7 and below
- not affected
1.3.8 and above
1.3.7 and below if
- no CGI or FastCGI is used
- no CGI is used and FastCGI is running on a remote host
- Credits
daniel@schlach.com
- Advisories
http://www.gentoo.org/security/en/glsa/glsa-200502-21.xml
|