CVE-2006-0760

First published: Sat Feb 18 2006(Updated: )

LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for ".php" names.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Lighttpd Lighttpd	=1.4.3
Lighttpd Lighttpd	=1.2.3
Lighttpd Lighttpd	=1.2.5
Lighttpd Lighttpd	=1.3.6
Lighttpd Lighttpd	=1.3.12
Lighttpd Lighttpd	=1.3.15
Lighttpd Lighttpd	=1.4.1
Lighttpd Lighttpd	=1.2.2
Lighttpd Lighttpd	=1.3.0
Lighttpd Lighttpd	=1.0.3
Lighttpd Lighttpd	=1.4.8
Lighttpd Lighttpd	=1.1.6
Lighttpd Lighttpd	=1.4.4
Lighttpd Lighttpd	=1.1.5
Lighttpd Lighttpd	=1.3.9
Lighttpd Lighttpd	=1.2.4
Lighttpd Lighttpd	=1.3.5
Lighttpd Lighttpd	=1.1.1
Lighttpd Lighttpd	=1.2.8
Lighttpd Lighttpd	=1.3.13
Lighttpd Lighttpd	=1.2.6
Lighttpd Lighttpd	=1.3.4
Lighttpd Lighttpd	=1.4.2
Lighttpd Lighttpd	=1.2.1
Lighttpd Lighttpd	=1.3.14
Lighttpd Lighttpd	=1.1.4
Lighttpd Lighttpd	=1.1.9
Lighttpd Lighttpd	=1.1.3
Lighttpd Lighttpd	=1.4.5
Lighttpd Lighttpd	=1.1.0
Lighttpd Lighttpd	=1.3.3
Lighttpd Lighttpd	=1.3.8
Lighttpd Lighttpd	=1.0.2
Lighttpd Lighttpd	=1.1.7
Lighttpd Lighttpd	=1.2.0
Lighttpd Lighttpd	=1.1.8
Lighttpd Lighttpd	=1.3.11
Lighttpd Lighttpd	=1.3.16
Lighttpd Lighttpd	=1.3.1
Lighttpd Lighttpd	=1.3.10
Lighttpd Lighttpd	=1.1.2
Lighttpd Lighttpd	=1.4.7
Lighttpd Lighttpd	=1.4.6
Lighttpd Lighttpd	=1.2.7
Lighttpd Lighttpd	=1.3.7
Lighttpd Lighttpd	=1.3.2
Lighttpd Lighttpd	=1.4.0

Remedy

http://secunia.com/advisories/18869

Never miss a vulnerability like this again

Reference Links

collector/nvd-historical
collector/nvd-index
agent/weakness
agent/severity
agent/references
agent/author
agent/event
agent/type
agent/description
agent/remedy
agent/softwarecombine
agent/first-publish-date
agent/last-modified-date
agent/tags
collector/mitre-cve
source/MITRE
vendor/lighttpd
canonical/lighttpd lighttpd
version/lighttpd lighttpd/1.4.3
version/lighttpd lighttpd/1.2.3
version/lighttpd lighttpd/1.2.5
version/lighttpd lighttpd/1.3.6
version/lighttpd lighttpd/1.3.12
version/lighttpd lighttpd/1.3.15
version/lighttpd lighttpd/1.4.1
version/lighttpd lighttpd/1.2.2
version/lighttpd lighttpd/1.3.0
version/lighttpd lighttpd/1.0.3
version/lighttpd lighttpd/1.4.8
version/lighttpd lighttpd/1.1.6
version/lighttpd lighttpd/1.4.4
version/lighttpd lighttpd/1.1.5
version/lighttpd lighttpd/1.3.9
version/lighttpd lighttpd/1.2.4
version/lighttpd lighttpd/1.3.5
version/lighttpd lighttpd/1.1.1
version/lighttpd lighttpd/1.2.8
version/lighttpd lighttpd/1.3.13
version/lighttpd lighttpd/1.2.6
version/lighttpd lighttpd/1.3.4
version/lighttpd lighttpd/1.4.2
version/lighttpd lighttpd/1.2.1
version/lighttpd lighttpd/1.3.14
version/lighttpd lighttpd/1.1.4
version/lighttpd lighttpd/1.1.9
version/lighttpd lighttpd/1.1.3
version/lighttpd lighttpd/1.4.5
version/lighttpd lighttpd/1.1.0
version/lighttpd lighttpd/1.3.3
version/lighttpd lighttpd/1.3.8
version/lighttpd lighttpd/1.0.2
version/lighttpd lighttpd/1.1.7
version/lighttpd lighttpd/1.2.0
version/lighttpd lighttpd/1.1.8
version/lighttpd lighttpd/1.3.11
version/lighttpd lighttpd/1.3.16
version/lighttpd lighttpd/1.3.1
version/lighttpd lighttpd/1.3.10
version/lighttpd lighttpd/1.1.2
version/lighttpd lighttpd/1.4.7
version/lighttpd lighttpd/1.4.6
version/lighttpd lighttpd/1.2.7
version/lighttpd lighttpd/1.3.7
version/lighttpd lighttpd/1.3.2
version/lighttpd lighttpd/1.4.0

CVE-2006-0760

Remedy

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact