oss-sec mailing list archives

CVE request: lighttpd mod_cgi script source disclosure

From: Robert Buchholz <rbu () gentoo org>
Date: Mon, 3 Mar 2008 01:10:24 +0100

Hey all,

mod_cgi in lighttpd 1.4.18 (and earlier?) will send the source of a cgi 
script if it fails to fork the cgi handler, instead of an HTTP 500. 
mod_cgi is disabled by default.

See for a patch:
  http://trac.lighttpd.net/trac/changeset/2107
  https://bugs.gentoo.org/show_bug.cgi?id=211956

Please assign a CVE id.


Thanks, Robert

Attachment: signature.asc
Description: This is a digitally signed message part.

Current thread:

CVE request: lighttpd mod_cgi script source disclosure Robert Buchholz (Mar 02)
- Re: CVE request: lighttpd mod_cgi script source disclosure Steven M. Christey (Mar 02)