Executive Summary

Informations
NameCVE-2008-4359First vendor Publication2008-10-03
VendorCveLast vendor Modification2011-03-07

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score7.5Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Security Protection

ImpactsProvides unauthorized access : Allows partial confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service.

Detail

lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4359

CWE : Common Weakness Enumeration

%idName
100 %CWE-200Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Application13

OpenVAS Exploits

DateDescription
2009-02-13Name : Fedora Core 9 FEDORA-2008-11923 (lighttpd)
File : nvt/fcore_2008_11923.nasl
2008-12-03Name : Gentoo Security Advisory GLSA 200812-04 (lighttpd)
File : nvt/glsa_200812_04.nasl
2008-10-03Name : FreeBSD Ports: lighttpd
File : nvt/freebsd_lighttpd5.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
48886lighttpd url.redirect / url.rewrite URL Decoding Remote Security Bypass

Nessus® Vulnerability Scanner

DateDescription
2009-07-21Name : The remote openSUSE host is missing a security update.
File : suse_11_0_lighttpd-081114.nasl - Type : ACT_GATHER_INFO
2009-02-13Name : The remote Fedora host is missing a security update.
File : fedora_2008-11923.nasl - Type : ACT_GATHER_INFO
2008-12-03Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200812-04.nasl - Type : ACT_GATHER_INFO
2008-11-18Name : The remote openSUSE host is missing a security update.
File : suse_lighttpd-5785.nasl - Type : ACT_GATHER_INFO
2008-10-07Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1645.nasl - Type : ACT_GATHER_INFO
2008-10-03Name : The remote web server is affected by multiple vulnerabilities.
File : lighttpd_1_4_20.nasl - Type : ACT_GATHER_INFO
2008-09-29Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_fb911e318ceb11ddbb29000c6e274733.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

SourceUrl
BID http://www.securityfocus.com/bid/31599
BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/497932/100/0/threaded
CONFIRM http://trac.lighttpd.net/trac/changeset/2278
http://trac.lighttpd.net/trac/changeset/2307
http://trac.lighttpd.net/trac/changeset/2309
http://trac.lighttpd.net/trac/changeset/2310
http://trac.lighttpd.net/trac/ticket/1720
http://wiki.rpath.com/Advisories:rPSA-2008-0309
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.p...
DEBIAN http://www.debian.org/security/2008/dsa-1645
GENTOO http://security.gentoo.org/glsa/glsa-200812-04.xml
MLIST http://openwall.com/lists/oss-security/2008/09/30/1
http://openwall.com/lists/oss-security/2008/09/30/2
http://openwall.com/lists/oss-security/2008/09/30/3
SUSE http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
VUPEN http://www.vupen.com/english/advisories/2008/2741
XF http://xforce.iss.net/xforce/xfdb/45690

Alert History

If you want to see full details history, please login or register.
0
1
2
DateInformations
2016-04-26 17:52:32
  • Multiple Updates
2014-02-17 10:46:48
  • Multiple Updates
2013-05-11 00:27:22
  • Multiple Updates