[pkg-lighttpd] Bug#392890: lighttpd: /doc/ and /images/ aliases not
safe
Adrian Friedli
adi at koalatux.ch
Sat Oct 14 01:34:57 UTC 2006
Package: lighttpd
Version: 1.4.13~r1385-1
Severity: important
Tags: patch
Hi
In /etc/lighttpd/lighttpd.conf the only condition for the /doc/ and
/images/ aliases is the host variable. These URLs could easily be reached
with a faked HTTP-Header.
My patch also activates directory listing only for the /doc/ and /images/
URLs. Getting a forbidden directory listing with a faked header was
possible before.
Regards
Adrian
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Versions of packages lighttpd depends on:
ii libattr1 2.4.32-1 Extended attribute shared library
ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co
ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries
ii libldap2 2.1.30-13+b1 OpenLDAP libraries
ii libpcre3 6.7-1 Perl 5 Compatible Regular Expressi
ii libssl0.9.8 0.9.8c-3 SSL shared libraries
ii lsb-base 3.1-17 Linux Standard Base 3.1 init scrip
ii mime-support 3.37-1 MIME files 'mime.types' & 'mailcap
ii zlib1g 1:1.2.3-13 compression library - runtime
Versions of packages lighttpd recommends:
ii php4-cgi 4:4.4.4-3 server-side, HTML-embedded scripti
ii php5-cgi 5.1.6-4 server-side, HTML-embedded scripti
-- no debconf information
-------------- next part --------------
--- debian/lighttpd.conf 2006-10-13 14:19:53.000000000 +0200
+++ debian/lighttpd.conf 2006-10-14 03:03:28.000000000 +0200
@@ -125,12 +125,14 @@
#### handle Debian Policy Manual, Section 11.5. urls
#### and by default allow them only from localhost
-$HTTP["host"] == "localhost" {
+$HTTP["remoteip"] =~ "127.0.0.1" {
alias.url += (
"/doc/" => "/usr/share/doc/",
"/images/" => "/usr/share/images/"
)
- dir-listing.activate = "enable"
+ $HTTP["url"] =~ "^/doc/|^/images/" {
+ dir-listing.activate = "enable"
+ }
}
#### variable usage:
More information about the pkg-lighttpd-maintainers
mailing list