Project

General

Profile

Actions

Bug #813

closed

..\ exploit in windows fork

Added by Anonymous over 17 years ago. Updated over 17 years ago.

Status:
Fixed
Priority:
Urgent
Category:
core
Target version:
-
ASK QUESTIONS IN Forums:

Description

Posted this on the lighty forum (http://forum.lighttpd.net/topic/1247)

While scanning my server (lighttpd 1.4.11 win32) for exploits I noticed
that /..\etc\lighttpd.conf would load up the servers config file. I have
the default config with mods rewrite, access, cgi, secdownload, and
accesslog. This should not be happening.

To help with this problem while this is looked into I have added a url
rewrite.
url.rewrite-once = ( "^/(.*)\.\.(.*)$" => "/" )

This rule should stop any one from using ".." in the url.

I do hope that someone has an answer to this or maybe its an over looked
bug in the windows fork.

-- clowndevil

Actions #1

Updated by jan over 17 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in 1.4.12

Actions

Also available in: Atom