mod_userdir information disclosure
====================================

 Description
-------------

If mod_userdir was loaded but userdir.path was not configured, the default dir
for the the userdir requests was $HOME. This could lead to information disclosure.

The patch requires to set userdir.path. To get back the old behavior use "" as value.

The module is not loaded by default.

 Affected versions
-------------------

all versions before 1.4.19

 Solutions or Workaround
-------------------------

There is no workaround. Upgrade to 1.4.19 or apply
lighttpd-1.4.x_mod_userdir_disclosure.patch

This bug is tracked as CVE-2008-1270.