Vulnerability Name:

CVE-2006-0760 (CCN-24699)

Assigned:2006-02-13
Published:2006-02-13
Updated:2017-07-20
Summary:LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for ".php" names.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
2.2 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2006-0760

Source: CCN
Type: lighttpd Web site
SECURITY: source file retrieval in lighttpd 1.4.8 and below

Source: CONFIRM
Type: UNKNOWN
http://www.lighttpd.net/news/

Source: CCN
Type: SA18869
Lighttpd Case-Insensitive Filename Source Code Disclosure

Source: SECUNIA
Type: Patch, Vendor Advisory
18869

Source: CONFIRM
Type: UNKNOWN
http://lighttpd.net/news/

Source: OSVDB
Type: UNKNOWN
23229

Source: CCN
Type: OSVDB ID: 23229
lighttpd Unexpected Capitalization File Extension Request Source Disclosure

Source: VUPEN
Type: UNKNOWN
ADV-2006-0550

Source: XF
Type: UNKNOWN
lighttpd-ext-source-disclosure(24699)

Source: XF
Type: UNKNOWN
lighttpd-ext-source-disclosure(24699)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:lighttpd:lighttpd:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.9:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.8:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.9:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.10:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.11:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.12:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.13:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.14:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.15:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.16:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.8:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:lighttpd:lighttpd:1.4.8:*:*:*:*:*:*:*
  • AND
  • cpe:/o:freebsd:freebsd:*:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:*:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:slackware:slackware_linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:openbsd:openbsd:*:*:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora_core:4:*:*:*:*:*:*:*
  • OR cpe:/a:canonical:ubuntu-core-launcher:1.0.27:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    lighttpd lighttpd 1.0.2
    lighttpd lighttpd 1.0.3
    lighttpd lighttpd 1.1.0
    lighttpd lighttpd 1.1.1
    lighttpd lighttpd 1.1.2
    lighttpd lighttpd 1.1.3
    lighttpd lighttpd 1.1.4
    lighttpd lighttpd 1.1.5
    lighttpd lighttpd 1.1.6
    lighttpd lighttpd 1.1.7
    lighttpd lighttpd 1.1.8
    lighttpd lighttpd 1.1.9
    lighttpd lighttpd 1.2.0
    lighttpd lighttpd 1.2.1
    lighttpd lighttpd 1.2.2
    lighttpd lighttpd 1.2.3
    lighttpd lighttpd 1.2.4
    lighttpd lighttpd 1.2.5
    lighttpd lighttpd 1.2.6
    lighttpd lighttpd 1.2.7
    lighttpd lighttpd 1.2.8
    lighttpd lighttpd 1.3.0
    lighttpd lighttpd 1.3.1
    lighttpd lighttpd 1.3.2
    lighttpd lighttpd 1.3.3
    lighttpd lighttpd 1.3.4
    lighttpd lighttpd 1.3.5
    lighttpd lighttpd 1.3.6
    lighttpd lighttpd 1.3.7
    lighttpd lighttpd 1.3.8
    lighttpd lighttpd 1.3.9
    lighttpd lighttpd 1.3.10
    lighttpd lighttpd 1.3.11
    lighttpd lighttpd 1.3.12
    lighttpd lighttpd 1.3.13
    lighttpd lighttpd 1.3.14
    lighttpd lighttpd 1.3.15
    lighttpd lighttpd 1.3.16
    lighttpd lighttpd 1.4.0
    lighttpd lighttpd 1.4.1
    lighttpd lighttpd 1.4.2
    lighttpd lighttpd 1.4.3
    lighttpd lighttpd 1.4.4
    lighttpd lighttpd 1.4.5
    lighttpd lighttpd 1.4.6
    lighttpd lighttpd 1.4.7
    lighttpd lighttpd 1.4.8
    lighttpd lighttpd 1.4.8
    freebsd freebsd *
    netbsd netbsd *
    debian debian linux *
    slackware slackware linux *
    openbsd openbsd *
    gentoo linux *
    fedoraproject fedora core 4
    canonical ubuntu-core-launcher 1.0.27