Executive Summary

Informations
NameCVE-2008-4359First vendor Publication2008-10-03
VendorCveLast vendor Modification2011-03-07

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score7.5Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Security Protection

ImpactsProvides unauthorized access : Allows partial confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service.

Detail

lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4359

CWE : Common Weakness Enumeration

idName
CWE-200Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Application13

OpenVAS Exploits

DateDescription
2009-02-13Name : Fedora Core 9 FEDORA-2008-11923 (lighttpd)
File : nvt/fcore_2008_11923.nasl
2008-12-03Name : Gentoo Security Advisory GLSA 200812-04 (lighttpd)
File : nvt/glsa_200812_04.nasl
2008-10-03Name : FreeBSD Ports: lighttpd
File : nvt/freebsd_lighttpd5.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
48886lighttpd url.redirect / url.rewrite URL Decoding Remote Security Bypass

Nessus® Vulnerability Scanner

DateDescription
2009-07-21Name : The remote openSUSE host is missing a security update.
File : suse_11_0_lighttpd-081114.nasl - Type : ACT_GATHER_INFO
2009-02-13Name : The remote Fedora host is missing a security update.
File : fedora_2008-11923.nasl - Type : ACT_GATHER_INFO
2008-12-03Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200812-04.nasl - Type : ACT_GATHER_INFO
2008-11-18Name : The remote openSUSE host is missing a security update.
File : suse_lighttpd-5785.nasl - Type : ACT_GATHER_INFO
2008-10-07Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1645.nasl - Type : ACT_GATHER_INFO
2008-10-03Name : The remote web server may be affected by several issues.
File : lighttpd_1_4_20.nasl - Type : ACT_GATHER_INFO
2008-09-29Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_fb911e318ceb11ddbb29000c6e274733.nasl - Type : ACT_GATHER_INFO

Internal Sources (Detail)

SourceUrl
BIDhttp://www.securityfocus.com/bid/31599
BUGTRAQhttp://www.securityfocus.com/archive/1/archive/1/497932/100/0/threaded
CONFIRMhttp://trac.lighttpd.net/trac/changeset/2278
http://trac.lighttpd.net/trac/changeset/2307
http://trac.lighttpd.net/trac/changeset/2309
http://trac.lighttpd.net/trac/changeset/2310
http://trac.lighttpd.net/trac/ticket/1720
http://wiki.rpath.com/Advisories:rPSA-2008-0309
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.p...
DEBIANhttp://www.debian.org/security/2008/dsa-1645
GENTOOhttp://security.gentoo.org/glsa/glsa-200812-04.xml
MLISThttp://openwall.com/lists/oss-security/2008/09/30/1
http://openwall.com/lists/oss-security/2008/09/30/2
http://openwall.com/lists/oss-security/2008/09/30/3
SECUNIAhttp://secunia.com/advisories/32069
http://secunia.com/advisories/32132
http://secunia.com/advisories/32480
http://secunia.com/advisories/32834
http://secunia.com/advisories/32972
SUSEhttp://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
VUPENhttp://www.vupen.com/english/advisories/2008/2741
XFhttp://xforce.iss.net/xforce/xfdb/45690

Alert History

If you want to see full details history, please login or register.
0
1
DateInformations
2014-02-17 10:46:48
  • Multiple Updates
2013-05-11 00:27:22
  • Multiple Updates