OSVDB ID: 23229

Title: lighttpd Unexpected Capitalization File Extension Request Source Disclosure

Info

Disclosure

Jan 15, 2006

Discovery

Unknown

Dates

Exploit

Jan 15, 2006

Solution

Unknown

Description

Lighttpd contains a flaw that may allow a malicious user to display the source code of arbitrary scripts instead of generated response. The issue is triggered when processing specially crafted HTTP requests containing file extensions with unexpected capitalization. It is possible that the flaw may allow to bypass URL checks and obtain sensitive information resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 1.4.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Jan Kneschke	Lighttpd	1.4.9
		1.4.8

References

Secunia Advisory ID: 18869
CVE ID: 2006-0760 (see also: NVD)
VUPEN Advisory: ADV-2006-0550
Vendor Specific News/Changelog Entry: http://www.lighttpd.net/news/

Credit

Schmidt Ryan - lighty-2006Q1ryandesign.com -

Direct URL: http://osvdb.org/23229

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Jan Kneschke

Lighttpd

References

Credit