mod_userdir information disclosure ==================================== Description ------------- lighttpd 1.4.19, and possibly other versions before 1.5.0, does not lowercase the filename after generating it from the url in mod_userdir on case insensitive (file)systems. as other modules are case sensitive, this may lead to information disclosure; for example if one configured php to handle files ending on ".php", an attacker will get the php source with http://example.com/~user/file.PHP http://trac.lighttpd.net/trac/ticket/1589 Affected versions ------------------- all versions before 1.4.20 (1.5 before r2308) Fixed in ---------- 1.4.x: http://trac.lighttpd.net/trac/changeset/2283 trunk: http://trac.lighttpd.net/trac/changeset/2308 Solutions or Workaround ------------------------- Use case sensitive file systems :) or don't use mod_userdir. Upgrade to 1.4.20 or apply lighttpd-1.4.x_userdir_lowercase.patch This bug is tracked as CVE-2008-4360.