Subject: SECURITY: script exposure in lighttpd 1.3.7 and below
Newsgroups: gmane.comp.web.lighttpd
Date: 2005-02-12 19:32:32 GMT (4 years, 20 weeks, 1 day, 6 hours and 17 minutes ago)
Dear users, in lighttpd 1.3.7 and below it is possible to fetch the source files which should be handled by CGI or FastCGI applications. - How to reproduce: append a %00 to the filename: http://www.example.org/index.php%00 - Description Control-Sequences are not mapped out in buffer_urldecode() in buffer.c which leeds to a \0 sequence in the filename while lighttpd ignores is handles the %00 as part of the filename. - Fix 1. upgrade to the latest version 1.3.10 2. apply the fixes referenced at http://wiki.lighttpd.net/7.html#A12 3. apply the attached fix - affected versions 1.3.7 and below - not affected 1.3.8 and above 1.3.7 and below if - no CGI or FastCGI is used - no CGI is used and FastCGI is running on a remote host - Credits daniel <at> schlach.com Jan -- Jan Kneschke http://jan.kneschke.de/ Perhaps you want to say 'thank you, jan': http://jk.123.org/wishlist/