Red Hat Bugzilla – Bug 465751
CVE-2008-4359 lighttpd: bypass of rewrite/redirect rules using encoded urls
Last modified: 2009-04-09 13:45:46 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4359 to the following vulnerability:
lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and
(2) url.rewrite configuration settings before performing URL decoding, which
might allow remote attackers to bypass intended access restrictions, and obtain
sensitive information or possibly modify data.
all versions before 1.4.20 (1.5 before r2310)
Upstream bug report:
Upstream patches (1.4.x):
Rawhide version lighttpd-1.4.20-0.1.r2303.fc10 contains mod_rewrite part of the fix, but is missing mod_redirect part.
lighttpd-1.4.20-6.fc9 has been submitted as an update for Fedora 9.
lighttpd-1.4.20-6.fc8 has been submitted as an update for Fedora 8.
Forgot to close this report. Closing now, as 1.4.22 is being pushed to F-9+.