oss-sec mailing list archives
Re: CVE request: lighttpd mod_cgi script source disclosure
From: "Steven M. Christey" <coley () linus mitre org>
Date: Sun, 2 Mar 2008 23:47:17 -0500 (EST)
On Mon, 3 Mar 2008, Robert Buchholz wrote:
mod_cgi in lighttpd 1.4.18 (and earlier?) will send the source of a cgi script if it fails to fork the cgi handler, instead of an HTTP 500. mod_cgi is disabled by default. See for a patch: http://trac.lighttpd.net/trac/changeset/2107 https://bugs.gentoo.org/show_bug.cgi?id=211956
Use CVE-2008-1111 - this will be public (in CVE) sometime on Monday. - Steve
Current thread:
- CVE request: lighttpd mod_cgi script source disclosure Robert Buchholz (Mar 02)
- Re: CVE request: lighttpd mod_cgi script source disclosure Steven M. Christey (Mar 02)