微慑信息网

CVE-2008-1270-漏洞详情

CVE-2008-1270
CVSS 5.0
发布时间 :2008-03-10 17:44:00
修订时间 :2011-03-07 22:06:26
NMCOPS    

[原文]mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.


[CNNVD]Lighttpd ‘mod_userdir’ 信息泄露漏洞(CNNVD-200803-148)

        lighttpd是目前非常流行的开放源代码的web服务器。


        当未对userdir.path进行设置时,lighttpd中的mod_userdir使用默认的$HOME,远程攻击者可以读取任意文件,比如访问nobody目录。


CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]


CWE (弱点类目)

CWE-200 [信息暴露]


CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用


OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:7897 DSA-1521 lighttpd — file disclosure
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。


官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1270

(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1270

(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200803-148

(官方数据源) CNNVD


其它链接及资源

https://issues.rpath.com/browse/RPL-2344


(UNKNOWN)  CONFIRM  https://issues.rpath.com/browse/RPL-2344
https://bugs.gentoo.org/show_bug.cgi?id=212930


(UNKNOWN)  CONFIRM  https://bugs.gentoo.org/show_bug.cgi?id=212930
http://xforce.iss.net/xforce/xfdb/41173


(UNKNOWN)  XF  lighttpd-moduserdir-information-disclosure(41173)
http://www.vupen.com/english/advisories/2008/0885/references


(UNKNOWN)  VUPEN  ADV-2008-0885
http://www.securityfocus.com/bid/28226


(UNKNOWN)  BID  28226
http://www.securityfocus.com/archive/1/archive/1/489465/100/0/threaded


(UNKNOWN)  BUGTRAQ  20080312 rPSA-2008-0106-1 lighttpd
http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt


(UNKNOWN)  CONFIRM  http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt
http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany


(UNKNOWN)  CONFIRM  http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany
http://www.debian.org/security/2008/dsa-1521


(UNKNOWN)  DEBIAN  DSA-1521
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106


(UNKNOWN)  MISC  http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106
http://trac.lighttpd.net/trac/ticket/1587


(UNKNOWN)  CONFIRM  http://trac.lighttpd.net/trac/ticket/1587
http://security.gentoo.org/glsa/glsa-200804-08.xml


(UNKNOWN)  GENTOO  GLSA-200804-08
http://secunia.com/advisories/29636


(VENDOR_ADVISORY)  SECUNIA  29636
http://secunia.com/advisories/29622


(VENDOR_ADVISORY)  SECUNIA  29622
http://secunia.com/advisories/29403


(VENDOR_ADVISORY)  SECUNIA  29403
http://secunia.com/advisories/29318


(VENDOR_ADVISORY)  SECUNIA  29318
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html


(UNKNOWN)  SUSE  SUSE-SR:2008:008


漏洞信息

Lighttpd ‘mod_userdir’ 信息泄露漏洞
中危 信息泄露
2008-03-10 00:00:00 2008-09-05 00:00:00
远程  
        lighttpd是目前非常流行的开放源代码的web服务器。


        当未对userdir.path进行设置时,lighttpd中的mod_userdir使用默认的$HOME,远程攻击者可以读取任意文件,比如访问nobody目录。


公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:


        lighttpd lighttpd 1.4


        lighttpd lighttpd-1.4.19.tar.gz


        http://www.lighttpd.net/download/lighttpd-1.4.19.tar.gz


漏洞信息 (F65410)

Gentoo Linux Security Advisory 200804-8 (PacketStormID:F65410)

2008-04-10 00:00:00
Gentoo  security.gentoo.org

advisory

linux,gentoo

CVE-2008-1270,CVE-2008-1531

[点击下载]

Gentoo Linux Security Advisory GLSA 200804-08 – Julien Cayzax discovered that an insecure default setting exists in mod_userdir in lighttpd. When userdir.path is not set the default value used is $HOME. It should be noted that the nobody user's $HOME is / (CVE-2008-1270). An error also exists in the SSL connection code which can be triggered when a user prematurely terminates his connection (CVE-2008-1531). Versions less than 1.4.19-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200804-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: lighttpd: Multiple vulnerabilities
      Date: April 10, 2008
      Bugs: #212930, #214892
        ID: 200804-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities in lighttpd may lead to information disclosure
or a Denial of Service.

Background
==========

lighttpd is a lightweight high-performance web server.

Affected packages
=================

    -------------------------------------------------------------------
     Package               /   Vulnerable   /               Unaffected
    -------------------------------------------------------------------
  1  www-servers/lighttpd      < 1.4.19-r2                >= 1.4.19-r2

Description
===========

Julien Cayzax discovered that an insecure default setting exists in
mod_userdir in lighttpd. When userdir.path is not set the default value
used is $HOME. It should be noted that the "nobody" user's $HOME is "/"
(CVE-2008-1270). An error also exists in the SSL connection code which
can be triggered when a user prematurely terminates his connection
(CVE-2008-1531).

Impact
======

A remote attacker could exploit the first vulnerability to read
arbitrary files. The second vulnerability can be exploited by a remote
attacker to cause a Denial of Service by terminating a victim's SSL
connection.

Workaround
==========

As a workaround for CVE-2008-1270 you can set userdir.path to a
sensible value, e.g. "public_html".

Resolution
==========

All lighttpd users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.4.19-r2"

References
==========

  [ 1 ] CVE-2008-1270
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1270
  [ 2 ] CVE-2008-1531
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1531

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200804-08.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

    


漏洞信息 (F64629)

Debian Linux Security Advisory 1521-1 (PacketStormID:F64629)

2008-03-17 00:00:00
Debian  debian.org

advisory,arbitrary

linux,debian

CVE-2008-1270

[点击下载]

Debian Security Advisory 1521-1 – Julien Cayzac discovered that under certain circumstances lighttpd, a fast webserver with minimal memory footprint, might allow the reading of arbitrary files from the system. This problem could only occur with a non-standard configuration.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1521-1                  [email protected]
http://www.debian.org/security/                               Steve Kemp
March 16, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : lighttpd
Vulnerability  : file disclosure
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-1270

Julien Cayzac discovered that under certain circumstances lighttpd,
a fast webserver with minimal memory footprint, might allow the reading
of arbitrary files from the system.  This problem could only occur
with a non-standard configuration.

For the stable distribution (etch), this problem has been fixed in 
version 1.4.13-4etch6.

We recommend that you upgrade your lighttpd package.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6.dsc
    Size/MD5 checksum:     1098 3e5a62a7162734998177e8707d2dba02
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6.diff.gz
    Size/MD5 checksum:    37066 853e653e4b56e0065b7d072bfdb038b9

Architecture independent packages:

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch6_all.deb
    Size/MD5 checksum:    99510 38af003d4b49531a371c58eec8c92797

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:    61252 f9a572ac4ece6cda80883e9ece59cf99
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:    64492 6d0802043b33391abf217b605ade53c6
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:   318848 64225fd5e10a77386763b28a3fa6b310
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:    71726 8797d97bd147f2f502741d790d42781e
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:    59494 5537c07a1bf16c607d42cbb24af35b0e
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_alpha.deb
    Size/MD5 checksum:    64924 e179a9988bc2b04a0188301040f7eb02

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:    60662 281bac93cddf6ed6fcd907dac5eb0720
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:    69818 74394f7d4528636f962133efa4a738da
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:    63506 b336b9d3d1836d2d06c5feaaefb8366e
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:    63806 6613f85008260c83222a2b5a8d183d50
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:   297130 9a00e9837f11cb5647491e28bf8da877
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_amd64.deb
    Size/MD5 checksum:    59060 1b1864819d7892f9dc1834ece83ba39f

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:    62786 e91afeac0b95ae32d9c346bf8b56ff2b
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:    69506 928bd56baa76d302d2637c3edafa966a
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:    58604 e060ddc287c0f62485c3b450f781a9c5
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:   286248 6915b4c299334a0aa608e69016579947
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:    60736 c1dba99fad76965ea148addcedbe8d1e
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_arm.deb
    Size/MD5 checksum:    62996 441fe045d312d83cd9c0abfea000fd04

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:    65382 9891f2e251cba3716cc7318244f12191
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:    64926 32155b4baafa529b01f8fa93d35c1016
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:   324246 b391c9f49db494a231b2c6bbe6b0a17c
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:    61704 a445b749e09728bbcc7aa2810262c316
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:    72912 f1b011512b9ffe681684aedc1100fd96
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_hppa.deb
    Size/MD5 checksum:    59856 e4d9e12d39cedc57301dec75d3f0f9bc

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:    70858 38d84f5a4dc0b5e98d8c4d8753720721
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:    59004 e89b0b96998623b78e0e756ecb5c64e5
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:    63614 3f91b5416bade664bac825c5f55b1760
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:    63810 f5c6a0fe13e228a2c97f7c0f9134139f
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:   288986 020ae1cd38f72be751c3d2339322e37d
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_i386.deb
    Size/MD5 checksum:    60764 6a866a4be8bb00bc89a19fd923892ac3

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:    67428 8057dbf996587a0dab7dfb830149596a
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:    67270 47e8df0e90b8a94399140f8e094cf193
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:    76970 3ec5566bf7884996d3b2c1cff05934d3
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:    62972 9eba69d6fbceecf7ab25847fe6123d45
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:   403368 49e9eeff7722157ec9240b693bdd7a8b
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_ia64.deb
    Size/MD5 checksum:    61096 a431a7e8cc1ed5e7c03a986062a71cb6

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:    59854 8a771e4cf424fc2db2ea32cc2e51e97b
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:   296016 08c0da736b8529d6a76cfc3cd482b2e9
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:    62442 8f42b63450914e64e2eee69b4bdbfe90
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:    69146 2bc52d53fb5fe04fb1252c31b280a418
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:    62562 bd6ea27d76c2c61e3c744b4f9bdb00ce
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_mips.deb
    Size/MD5 checksum:    58480 939cbd552f397780de40b834908b7130

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:    69928 9ac409e25d6e7b9e4b1cb4ad13ed9632
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:    60680 343e11ab45cab336396806f7f221945d
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:    63286 886e4bc3478309c1656f7d6bd977f2ed
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:    59192 e4cc8d162b281518d52a739eb318f041
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:   297128 89cdce8b7cd2690e28b95c3d783c9154
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_mipsel.deb
    Size/MD5 checksum:    63450 36f870435ee48223a8ced7e6613a169d

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:    60566 d4b1ad36213cbdf6065f239aa472b498
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:    65034 845332f6d09f3f0692a6d18963dcfcc4
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:    62380 6466c3be37fe7fe26f7e83b3c2ead222
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:    65306 aaaefd16bdf02e178aee3343c18cc17d
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:    71682 a4bb5ec71a26f40b0a5cef12bb850a40
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_powerpc.deb
    Size/MD5 checksum:   323712 eb5edc0b82555ec99996121925c4d0ab

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:    60994 4f546530cae504799f369f806d00eb51
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:   307112 25b76d9b1971949e8091e2c4c0430c58
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:    64160 30ad6c09af94176abd6fb010ee66bb25
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:    64548 c03eed9df63c727831ff4993703b98c0
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:    71274 b8a2712beb266769a25219bcaccceeac
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_s390.deb
    Size/MD5 checksum:    59486 706725ae2ff5257a52467e7db30c0a14

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:    69798 d85012884750a5d423d2761f62dd2ec9
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:    60434 cad01450236fec8a2a57504aea63426c
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:    63344 ebf4c95b0d1cfc06e3d37afad107afd4
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:    58776 76a058d44cef9963903648eefef0fa7a
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:    63322 5d433e4a4b0801256be2170bf0ba3931
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch6_sparc.deb
    Size/MD5 checksum:   284060 2c0aafcaa9c5490e8ae9f8e73d7b7a22


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH3UBKwM/Gs81MDZ0RAsM8AJ97j14YEKDhPSBO+U/jy5w7PuC6lwCfZVll
7AP9XfJ0dzNfHW7TA1k3PRk=
=BgLb
-----END PGP SIGNATURE-----
    


漏洞信息


43170
lighttpd mod_userdir userdir.path Information Disclosure

Information Disclosure
Loss of Confidentiality
Vendor Verified


漏洞描述


时间线


2008-02-28

Unknow
Unknow Unknow


解决方案

Upgrade to version 1.4.19 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.


相关参考


漏洞作者

Unknown or Incomplete


漏洞信息

Lighttpd mod_userdir Information Disclosure Vulnerability

Failure to Handle Exceptional Conditions

28226
Yes No
2008-03-12 12:00:00 2008-04-16 12:28:00

[email protected] discovered this issue.


受影响的程序版本

SuSE SUSE Linux Enterprise SDK 10

S.u.S.E. openSUSE 10.3

S.u.S.E. openSUSE 10.2

S.u.S.E. Linux 10.1 x86-64

S.u.S.E. Linux 10.1 x86

S.u.S.E. Linux 10.1 ppc

rPath rPath Linux 1

lighttpd lighttpd 1.4.18

lighttpd lighttpd 1.4.17

lighttpd lighttpd 1.4.16

lighttpd lighttpd 1.4.15

lighttpd lighttpd 1.4.14

lighttpd lighttpd 1.4.13

lighttpd lighttpd 1.4.12

lighttpd lighttpd 1.4.11

lighttpd lighttpd 1.4.10

lighttpd lighttpd 1.4.9

lighttpd lighttpd 1.4.8

lighttpd lighttpd 1.4.7

lighttpd lighttpd 1.4.6

lighttpd lighttpd 1.4.5

lighttpd lighttpd 1.4.4

lighttpd lighttpd 1.4.3

lighttpd lighttpd 1.4.2

lighttpd lighttpd 1.4.1

lighttpd lighttpd 1.4

lighttpd lighttpd 1.4.10a

Gentoo Linux

Debian Linux 4.0 sparc

Debian Linux 4.0 s/390

Debian Linux 4.0 powerpc

Debian Linux 4.0 mipsel

Debian Linux 4.0 mips

Debian Linux 4.0 m68k

Debian Linux 4.0 ia-64

Debian Linux 4.0 ia-32

Debian Linux 4.0 hppa

Debian Linux 4.0 arm

Debian Linux 4.0 amd64

Debian Linux 4.0 alpha

Debian Linux 4.0

lighttpd lighttpd 1.4.19


不受影响的程序版本

lighttpd lighttpd 1.4.19


漏洞讨论

The 'lighttpd' program is prone to a vulnerability that may allow attackers to access sensitive information because the application fails to properly handle exceptional conditions.



Information obtained may aid in further attacks.



This issue affects lighttpd 1.4.18; other versions may also be vulnerable.


漏洞利用

To exploit this vulnerability, attackers can use a browser.



The following example URI is available:



http://www.example.com/~nobody/etc/passwd


解决方案

The vendor has released lighttpd 1.4.19 to address this issue. Please see the references for more information.





lighttpd lighttpd 1.4.10a



lighttpd lighttpd 1.4



lighttpd lighttpd 1.4.1



lighttpd lighttpd 1.4.10



lighttpd lighttpd 1.4.11



lighttpd lighttpd 1.4.12



lighttpd lighttpd 1.4.13



lighttpd lighttpd 1.4.14



lighttpd lighttpd 1.4.15



lighttpd lighttpd 1.4.16



lighttpd lighttpd 1.4.17



lighttpd lighttpd 1.4.18



lighttpd lighttpd 1.4.2



lighttpd lighttpd 1.4.3



lighttpd lighttpd 1.4.4



lighttpd lighttpd 1.4.5



lighttpd lighttpd 1.4.6



lighttpd lighttpd 1.4.7



lighttpd lighttpd 1.4.8



lighttpd lighttpd 1.4.9


相关参考

赞(0) 打赏
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » CVE-2008-1270-漏洞详情

评论 抢沙发

微慑信息网 专注工匠精神

微慑信息网-VulSee.com-关注前沿安全态势,聚合网络安全漏洞信息,分享安全文档案例

访问我们联系我们

觉得文章有用就打赏一下文章作者

非常感谢你的打赏,我们将继续提供更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏

登录

找回密码

注册