Bug #1165
closedSecurity Problem using string equal match (==) on $HTTP["host"] Configuration
Description
Using a $HTTPhost Virtual Configuration with the string equal match ( == )like
$HTTP["host"] '''==''' "domain.tld"
ocours in a security problem when use this url in a browser with a subdomain prefix like
http://'''xyz'''.domain.tld
lighthttpd fall back to the server.document.root path and show all folders, doesnt matter if dir-listing.activate is disabled. A bigger security problem is that the authentification method (auth.require) dont work more for specific folders once set.
As workaround you should use the perl style regular expression match (=~)for $HTTPhost Configurations.
Maybe this problem occurs with oder kind of $HTTP Configuration but i still dont try.
PS. thx for your work on lighttpd. You do a great job !
-- admin
Updated by jan over 17 years ago
- Status changed from New to Fixed
- Resolution set to invalid
I don't see the problem here. The string-match does what it advertises.
It is up to the user to provide a useful default host which is providing a useful hint if the host is unknown.
In the future will allow to leave server.document-root empty and return a 401 if no doc-root is set in a conditional.
Also available in: Atom