Access Control Bypass in lighttpd Web Server
CVE-2008-4359

Currently unrated

Key Information:

Vendor: Lighttpd
Status: Lighttpd
Vendor: CVE Published:; 3 October 2008

What is CVE-2008-4359?

The vulnerability in lighttpd affects versions prior to 1.4.20, where the server improperly compares URIs against patterns in the url.redirect and url.rewrite configuration settings before conducting URL decoding. This oversight may enable remote attackers to bypass intended access restrictions, potentially leading to unauthorized exposure of sensitive information or the alteration of data. Proper handling of URI patterns is necessary to prevent such exploits.

References

http://secunia.com/advisories/32069

third-party-advisoryx_refsource_SECUNIA

http://trac.lighttpd.net/trac/changeset/2307

x_refsource_CONFIRM

http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 3, 2008
Vulnerability Reserved
Sep 30, 2008

Lighttpd

What is CVE-2008-4359?

References

Timeline