|
|
>> Lighttpd 1.3.x Remote Source Code Disclosure Vulnerability
|
Title : Lighttpd 1.3.x Remote Source Code Disclosure Vulnerability
VUPEN ID : VUPEN/ADV-2005-0170
CVE ID : CVE-2005-0453
CWE ID : CWE-
Rated as : High Risk 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-02-16
|
A new vulnerability was reported in Lighttpd, it can be exploited by attackers to disclose the source code of CGI/FastCGI files. The problem resides in the "buffer_urldecode()" (buffer.c) function when handling specially crafted URLs, which may be exploited to display the source code of arbitrary files instead of expected HTML responses.
http://www.vulnerable.com/index.php%00
Affected Products
Lighttpd version 1.3.7 and prior
Solution
Lighttpd version 1.3.10 :
http://wiki.lighttpd.net/
References
http://www.vupen.com/english/advisories/2005/0170
http://article.gmane.org/gmane.comp.web.lighttpd/1171
Credits
Vulnerability reported by Jan Kneschke
ChangeLog
2005-02-16 : Initial release
2005-02-18 : Updated CVE
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
