CVE-2008-4360
Summary
| CVE | CVE-2008-4360 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2008-10-03 17:41:00 UTC |
| Updated | 2018-11-29 15:46:00 UTC |
| Description | mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files. |
Risk And Classification
Problem Types: CWE-200
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 4.0 | All | All | All |
| Operating System | Debian | Debian Linux | 4.0 | All | All | All |
| Application | Lighttpd | Lighttpd | All | All | All | All |
| Application | Lighttpd | Lighttpd | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Debian update for lighttpd - Secunia Advisories - Vulnerability Intelligence - Secunia.com | SECUNIA | secunia.com | Third Party Advisory |
| IBM X-Force Exchange | XF | exchange.xforce.ibmcloud.com | Third Party Advisory, VDB Entry |
| oss-security - Re: CVE request: lighttpd issues | MLIST | openwall.com | Mailing List, Third Party Advisory |
| Redmine 404 error | CONFIRM | trac.lighttpd.net | Broken Link, Vendor Advisory |
| Webmail | OVH- OVH | VUPEN | www.vupen.com | Third Party Advisory |
| rPath update for lighttpd - Secunia Advisories - Vulnerability Intelligence - Secunia.com | SECUNIA | secunia.com | Third Party Advisory |
| oss-security - Re: Re: CVE request: lighttpd issues | MLIST | openwall.com | Mailing List, Third Party Advisory |
| Advisories:rPSA-2008-0309 - rPath Wiki | CONFIRM | wiki.rpath.com | Third Party Advisory |
| Redmine 404 error | CONFIRM | trac.lighttpd.net | Broken Link, Vendor Advisory |
| www.lighttpd.net/security/lighttpd_sa_2008_06.txt | CONFIRM | www.lighttpd.net | Patch, Vendor Advisory |
| SUSE update for phpMyAdmin and lighttpd - Secunia.com | SECUNIA | secunia.com | Third Party Advisory |
| oss-security - Re: CVE request: lighttpd issues | MLIST | openwall.com | Mailing List, Third Party Advisory |
| SecurityFocus | BUGTRAQ | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Debian -- Security Information -- DSA-1645-1 lighttpd | DEBIAN | www.debian.org | Third Party Advisory |
| Lighttpd 'mod_userdir' Case Sensitive Comparison Security Bypass Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| lighttpd: Multiple vulnerabilities — Gentoo Linux Documentation | GENTOO | security.gentoo.org | Third Party Advisory |
| Lighttpd - Bug #1589: server.force-lowercase-filenames doesn't work inside userdir's - lighty labs | CONFIRM | trac.lighttpd.net | Patch, Vendor Advisory |
| www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch | CONFIRM | www.lighttpd.net | Patch, Vendor Advisory |
| Advisories:rPSA-2008-0309 - rPath Wiki | CONFIRM | wiki.rpath.com | Third Party Advisory |
| lighttpd Weakness and Vulnerabilities - Secunia Advisories - Vulnerability Intelligence - Secunia.com | SECUNIA | secunia.com | Third Party Advisory |
| Security Advisory SA32972 - Gentoo update for lighttpd - Secunia | SECUNIA | secunia.com | Third Party Advisory |
| [security-announce] SUSE Security Summary Report: SUSE-SR:2008:026 | SUSE | lists.opensuse.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.