Bug 437037 (CVE-2008-1270) - CVE-2008-1270 lighttpd considers empty directory string to be CWD
Summary: CVE-2008-1270 lighttpd considers empty directory string to be CWD
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2008-1270
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-11 19:59 UTC by Lubomir Kundrak
Modified: 2008-03-11 20:22 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-03-11 20:02:44 UTC

Attachments (Terms of Use)

Description Lubomir Kundrak 2008-03-11 19:59:41 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1270 to the following vulnerability:

mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.

References:

http://trac.lighttpd.net/trac/ticket/1587
https://bugs.gentoo.org/show_bug.cgi?id=212930
https://issues.rpath.com/browse/RPL-2344
Comment 1 Lubomir Kundrak 2008-03-11 20:02:44 UTC 
Fedora Project does not consider this a security vulnerability.

This needs user voluntarily do a senseless and unlike configuration change with
a well-documented and expectable effect. We will not issue a security update for
this, but will follow upstream change of behavior of directive in question with
future versions.
Note You need to log in before you can comment on or make changes to this bug.