mod_userdir in lighttpd prior to 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote malicious users to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
lighttpd lighttpd |
||
debian debian linux 4.0 |