[pkg-lighttpd] Bug#392890: lighttpd: /doc/ and /images/ aliases not safe

Adrian Friedli adi at koalatux.ch
Sat Oct 14 01:34:57 UTC 2006 

Package: lighttpd
Version: 1.4.13~r1385-1
Severity: important
Tags: patch


Hi

In /etc/lighttpd/lighttpd.conf the only condition for the /doc/ and
/images/ aliases is the host variable. These URLs could easily be reached
with a faked HTTP-Header.
My patch also activates directory listing only for the /doc/ and /images/
URLs. Getting a forbidden directory listing with a faked header was
possible before.

Regards
Adrian

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)

Versions of packages lighttpd depends on:
ii  libattr1                    2.4.32-1     Extended attribute shared library
ii  libbz2-1.0                  1.0.3-6      high-quality block-sorting file co
ii  libc6                       2.3.6.ds1-6  GNU C Library: Shared libraries
ii  libldap2                    2.1.30-13+b1 OpenLDAP libraries
ii  libpcre3                    6.7-1        Perl 5 Compatible Regular Expressi
ii  libssl0.9.8                 0.9.8c-3     SSL shared libraries
ii  lsb-base                    3.1-17       Linux Standard Base 3.1 init scrip
ii  mime-support                3.37-1       MIME files 'mime.types' & 'mailcap
ii  zlib1g                      1:1.2.3-13   compression library - runtime

Versions of packages lighttpd recommends:
ii  php4-cgi                      4:4.4.4-3  server-side, HTML-embedded scripti
ii  php5-cgi                      5.1.6-4    server-side, HTML-embedded scripti

-- no debconf information
-------------- next part --------------
--- debian/lighttpd.conf	2006-10-13 14:19:53.000000000 +0200
+++ debian/lighttpd.conf	2006-10-14 03:03:28.000000000 +0200
@@ -125,12 +125,14 @@
 #### handle Debian Policy Manual, Section 11.5. urls
 #### and by default allow them only from localhost
 
-$HTTP["host"] == "localhost" {
+$HTTP["remoteip"] =~ "127.0.0.1" {
 	alias.url += ( 
 		"/doc/" => "/usr/share/doc/",
 		"/images/" => "/usr/share/images/"
 	)
-	dir-listing.activate = "enable"
+	$HTTP["url"] =~ "^/doc/|^/images/" {
+		dir-listing.activate = "enable"
+	}
 }
 
 #### variable usage:

More information about the pkg-lighttpd-maintainers mailing list