Red Hat Bugzilla – Bug 465752
CVE-2008-4360 lighttpd: mod_userdir information disclosure on case-insensitve filesystems
Last modified: 2009-04-09 13:46:01 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4360 to the following vulnerability:
mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system
or filesystem is used, performs case-sensitive comparisons on filename
components in configuration options, which might allow remote attackers to
bypass intended access restrictions, as demonstrated by a request for a .PHP
file when there is a configuration rule for .php files.
all versions before 1.4.20 (1.5 before r2308)
Upstream bug report:
Upstream patches (1.4.x):
Patch is already part of lighttpd-1.4.20-0.1.r2303.fc10 currently in Rawhide.
lighttpd-1.4.20-6.fc9 has been submitted as an update for Fedora 9.
lighttpd-1.4.20-6.fc8 has been submitted as an update for Fedora 8.
Forgot to close this report. Closing now, as 1.4.22 is being pushed to F-9+.