23229 : lighttpd Unexpected Capitalization File Extension Request Source Disclosure
Printer | http://osvdb.org/23229 | Email This | Edit Vulnerability

Views This Week

Views All Time

Info

Last Modified

6 months ago

Percent Complete

100%

Disclosure

Jan 15, 2006

Discovery

Unknown

Dates

Exploit

Jan 15, 2006

Solution

Unknown

Description

Lighttpd contains a flaw that may allow a malicious user to display the source code of arbitrary scripts instead of generated response. The issue is triggered when processing specially crafted HTTP requests containing file extensions with unexpected capitalization. It is possible that the flaw may allow to bypass URL checks and obtain sensitive information resulting in a loss of confidentiality.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Confidentiality
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Technical

This issue can only be exploited on case insenstive file-systems like NTFS and FAT on Windows and HFS(+) on MacOSX operating systems.

Solution

Upgrade to version 1.4.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Jan Kneschke	Lighttpd	1.4.9
		1.4.8

References

FrSIRT Advisory: ADV-2006-0550
Vendor Specific News/Changelog Entry: http://www.lighttpd.net/news/
Secunia Advisory ID: 18869
CVE ID: 2006-0760 (see also: NVD)

Manual Testing Notes

Credit

Schmidt Ryan - lighty-2006Q1ryandesign.com -

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

DONATE NOW!

User Status

Account
- Login
- Sign-Up

Quick Searches

Views This Week

Views All Time

Info

Last Modified

Percent Complete

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Technical

Solution

Products

Jan Kneschke

Lighttpd

References

Manual Testing Notes

Credit

Blogs

Comments