Actions
Bug #813
closed..\ exploit in windows fork
Status:
Fixed
Priority:
Urgent
Category:
core
Target version:
-
ASK QUESTIONS IN Forums:
Description
Posted this on the lighty forum (http://forum.lighttpd.net/topic/1247)
While scanning my server (lighttpd 1.4.11 win32) for exploits I noticed
that /..\etc\lighttpd.conf would load up the servers config file. I have
the default config with mods rewrite, access, cgi, secdownload, and
accesslog. This should not be happening.
To help with this problem while this is looked into I have added a url
rewrite.
url.rewrite-once = ( "^/(.*)\.\.(.*)$" => "/" )
This rule should stop any one from using ".." in the url.
I do hope that someone has an answer to this or maybe its an over looked
bug in the windows fork.
-- clowndevil
Updated by jan over 17 years ago
- Status changed from New to Fixed
- Resolution set to fixed
fixed in 1.4.12
Actions
Also available in: Atom