| Vulnerability Name: | CVE-2008-4360 (CCN-45689) |
| Assigned: | 2008-09-30 |
| Published: | 2008-09-30 |
| Updated: | 2018-11-29 |
| Summary: | mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.
|
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): Low
Integrity (I): None
Availibility (A): None |
|
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None | | Impact Metrics: | Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial |
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
| | Impact Metrics: | Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None |
|
| Vulnerability Type: | CWE-200
|
| Vulnerability Consequences: | Obtain Information |
| References: | Source: MITRE
Type: CNA
CVE-2008-4360
Source: SUSE
Type: Third Party Advisory
SUSE-SR:2008:026
Source: CCN
Type: oss-security Mailing List, Tue, 30 Sep 2008 16:55:06 +0200
Re: CVE request: lighttpd issues
Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20080930 Re: CVE request: lighttpd issues
Source: CCN
Type: oss-security Mailing List, Tue, 30 Sep 2008 17:03:09 +0200
Re: CVE request: lighttpd issues
Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20080930 Re: CVE request: lighttpd issues
Source: CCN
Type: oss-security Mailing List, Tue, 30 Sep 2008 14:25:56 -0400 (EDT)
Re: Re: CVE request: lighttpd issues
Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20080930 Re: Re: CVE request: lighttpd issues
Source: CCN
Type: SA32069
lighttpd Duplicate Request Headers Memory Leak Vulnerability
Source: SECUNIA
Type: Third Party Advisory
32069
Source: SECUNIA
Type: Third Party Advisory
32132
Source: SECUNIA
Type: Third Party Advisory
32480
Source: SECUNIA
Type: Third Party Advisory
32834
Source: SECUNIA
Type: Third Party Advisory
32972
Source: GENTOO
Type: Third Party Advisory
GLSA-200812-04
Source: CONFIRM
Type: Broken Link, Vendor Advisory
http://trac.lighttpd.net/trac/changeset/2283
Source: CONFIRM
Type: Broken Link, Vendor Advisory
http://trac.lighttpd.net/trac/changeset/2308
Source: CCN
Type: LIGHTTPD Web site: Ticket #1589
server.force-lowercase-filenames doesn't work inside userdir's
Source: CONFIRM
Type: Patch, Vendor Advisory
http://trac.lighttpd.net/trac/ticket/1589
Source: CONFIRM
Type: Third Party Advisory
http://wiki.rpath.com/Advisories:rPSA-2008-0309
Source: CONFIRM
Type: Third Party Advisory
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
Source: DEBIAN
Type: Third Party Advisory
DSA-1645
Source: DEBIAN
Type: DSA-1645
lighttpd -- various
Source: CCN
Type: GLSA-200812-04
lighttpd: Multiple vulnerabilities
Source: CCN
Type: LIGHTTPD Web site
lighttpd fly flight
Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch
Source: CCN
Type: lighttpd_sa_2008_06
mod_userdir information disclosure
Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
Source: CCN
Type: OSVDB ID: 48889
lighttpd mod_userdir Filename Component Case Mismatch Remote Access Restriction Bypass
Source: BUGTRAQ
Type: Third Party Advisory, VDB Entry
20081030 rPSA-2008-0309-1 lighttpd
Source: BID
Type: Third Party Advisory, VDB Entry
31600
Source: CCN
Type: BID-31600
Lighttpd 'mod_userdir' Case Sensitive Comparison Security Bypass Vulnerability
Source: VUPEN
Type: Third Party Advisory
ADV-2008-2741
Source: XF
Type: Third Party Advisory, VDB Entry
lighttpd-moduserdir-info-disclosure(45689)
Source: XF
Type: UNKNOWN
lighttpd-moduserdir-info-disclosure(45689)
Source: SUSE
Type: SUSE-SR:2008:026
SUSE Security Summary Report
Source: SUSE
Type: SUSE-SR:2009:020
SUSE Security Summary Report
|
| Vulnerable Configuration: | Configuration 1:
cpe:/a:lighttpd:lighttpd:*:*:*:*:*:*:*:* (Version < 1.4.20)
Configuration 2:
cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
Configuration CCN 1:
cpe:/a:lighttpd:lighttpd:1.4.10:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.4.12:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.4.13:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.4.15:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.4.17:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.4.19:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.4.14:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.4.11:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.4.1:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.4.16:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.1.5:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.1.6:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.1.2:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.1.1:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.1.4:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.1.3:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.0.2:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.1.0:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.0.3:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.1.9:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.2.0:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.2.1:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.2.2:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.1.7:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.1.8:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.2.3:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.2.4:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.2.5:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.2.6:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.15:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.14:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.13:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.12:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.11:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.10:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.2.7:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.2.8:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.0:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.1:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.2:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.16:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.4.0:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.9:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.8:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.7:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.6:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.5:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.4:*:*:*:*:*:*:*OR cpe:/a:lighttpd:lighttpd:1.3.3:*:*:*:*:*:*:*AND cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
 Denotes that component is vulnerable |
| Oval Definitions |
|
| BACK |