Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 30 Sep 2008 17:03:09 +0200
From: Christian Hoffmann <hoffie@...too.org>
To: coley@...re.org
CC: vendor-sec@....de, darix@...nsu.se, stbuehler@....de, 
 oss-security@...ts.openwall.com
Subject: Re: CVE request: lighttpd issues

Sorry for the spam, I fail..

On 2008-09-30 16:55, Christian Hoffmann wrote:
> We still need CVEs for these three issues.
Wrong, only two are remaining, see below.

>>   * Unexpected behavior of url.redirect / url.rewrite config options
>>
>>     While this is not a security issue in lighttpd, the user might
>>     rely on the fact, that those options are suppoosed to be matched
>>     against the urldecoded version of the URL. Depending on the
>>     configuration, this would allow for unwanted access to certain
>>     resources (information disclosure or even manipulation of data)
This one.

>>
>>   * Information disclosure w/ mod_userdir on case-insensitive file
>>     systems
And this one.

>>
>>   * User-controllable memory leak, possibly leading to a Denial of
>>     Service
This has been assigned CVE-2008-4298 already.


-- 
Christian Hoffmann


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux