FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

lighttpd -- script source disclosure vulnerability

Affected packages
lighttpd < 1.3.8

Details

VuXML ID bdad9ada-8a52-11d9-9e53-000a95bc6fae
Discovery 2005-02-12
Entry 2005-03-01

The lighttpd website reports:

In lighttpd 1.3.7 and below it is possible to fetch the source files which should be handled by CGI or FastCGI applications.

[source]

The vulnerability is in the handling of urlencoded trailing NUL bytes. Installations that do not use CGI or FastCGI are not affected.

References

Bugtraq ID 12567
CVE Name CVE-2005-0453
Message http://article.gmane.org/gmane.comp.web.lighttpd/1171
URL http://www.lighttpd.net/news/
URL http://xforce.iss.net/xforce/xfdb/19350

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.