CVE-2008-4359

lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.

Published: Oct 3, 2008
Updated: Apr 13, 2023
CVE: CVE-2008-4359
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
lighttpd / lighttpd	-	1.4.20
debian / debian_linux	4.0	4.0.x

http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
http://openwall.com/lists/oss-security/2008/09/30/1
http://openwall.com/lists/oss-security/2008/09/30/2
http://openwall.com/lists/oss-security/2008/09/30/3
http://secunia.com/advisories/32069
http://secunia.com/advisories/32132
http://secunia.com/advisories/32480
http://secunia.com/advisories/32834
http://secunia.com/advisories/32972
http://security.gentoo.org/glsa/glsa-200812-04.xml
http://trac.lighttpd.net/trac/changeset/2278
http://trac.lighttpd.net/trac/changeset/2307
http://trac.lighttpd.net/trac/changeset/2309
http://trac.lighttpd.net/trac/changeset/2310
http://trac.lighttpd.net/trac/ticket/1720
http://wiki.rpath.com/Advisories:rPSA-2008-0309
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
http://www.debian.org/security/2008/dsa-1645
http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
http://www.securityfocus.com/archive/1/497932/100/0/threaded
http://www.securityfocus.com/bid/31599
http://www.vupen.com/english/advisories/2008/2741
https://exchange.xforce.ibmcloud.com/vulnerabilities/45690

Vulnerability Database

289,697

CVE-2008-4359