Lighttpd seurity annoucement:
lighttpd 1.4.19, and possibly other versions before 1.5.0, does
not decode the url before matching against rewrite and redirect
patterns, which allows attackers to bypass rewrites rules. this
can be a security problem in certain configurations if these rules
are used to hide certain urls.
lighttpd 1.4.19, and possibly other versions before 1.5.0, does
not lowercase the filename after generating it from the url in
mod_userdir on case insensitive (file)systems.
As other modules are case sensitive, this may lead to information
disclosure; for example if one configured php to handle files
ending on ".php", an attacker will get the php source with
http://example.com/~user/file.PHP
lighttpd 1.4.19 does not always release a header if it triggered
a 400 (Bad Request) due to a duplicate header.