An issue exists in mod_alias_physical_handler in mod_alias.c in lighttpd prior to 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
lighttpd lighttpd |
||
opensuse backports sle 15.0 |
||
opensuse leap 15.0 |
||
opensuse leap 15.1 |
||
suse suse linux enterprise server 11 |
||
suse suse linux enterprise server 12 |
||
debian debian linux 9.0 |