[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248268

 
 

909

 
 

195051

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2008-1270Date: (C)2008-03-10   (M)2023-12-22


mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 5.0
Exploit Score: 10.0
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality: PARTIAL
Integrity: NONE
Availability: NONE
  
Reference:
http://www.securityfocus.com/archive/1/489465/100/0/threaded
BID-28226
SECUNIA-29318
SECUNIA-29403
SECUNIA-29622
SECUNIA-29636
ADV-2008-0885
DSA-1521
GLSA-200804-08
SUSE-SR:2008:008
http://trac.lighttpd.net/trac/ticket/1587
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106
http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany
http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt
https://bugs.gentoo.org/show_bug.cgi?id=212930
https://issues.rpath.com/browse/RPL-2344
lighttpd-moduserdir-information-disclosure(41173)

CPE    1
cpe:/a:lighttpd:lighttpd
CWE    1
CWE-200
OVAL    1
oval:org.mitre.oval:def:7897

© SecPod Technologies