oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: lighttpd mod_cgi script source disclosure

From: "Steven M. Christey" <coley () linus mitre org>
Date: Sun, 2 Mar 2008 23:47:17 -0500 (EST)

On Mon, 3 Mar 2008, Robert Buchholz wrote:


mod_cgi in lighttpd 1.4.18 (and earlier?) will send the source of a cgi
script if it fails to fork the cgi handler, instead of an HTTP 500.
mod_cgi is disabled by default.

See for a patch:
  http://trac.lighttpd.net/trac/changeset/2107
  https://bugs.gentoo.org/show_bug.cgi?id=211956



Use CVE-2008-1111 - this will be public (in CVE) sometime on Monday.

- Steve
Previous By Date Next
Previous By Thread Next

Current thread: