Project

General

Profile

Bug #1165

Security Problem using string equal match (==) on $HTTP["host"] Configuration

Added by Anonymous over 12 years ago. Updated almost 11 years ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

Using a $HTTPhost Virtual Configuration with the string equal match ( == )like


$HTTP["host"] '''==''' "domain.tld" 

ocours in a security problem when use this url in a browser with a subdomain prefix like


http://'''xyz'''.domain.tld

lighthttpd fall back to the server.document.root path and show all folders, doesnt matter if dir-listing.activate is disabled. A bigger security problem is that the authentification method (auth.require) dont work more for specific folders once set.

As workaround you should use the perl style regular expression match (=~)for $HTTPhost Configurations.

Maybe this problem occurs with oder kind of $HTTP Configuration but i still dont try.

PS. thx for your work on lighttpd. You do a great job !

-- admin

History

#1

Updated by jan over 12 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid

I don't see the problem here. The string-match does what it advertises.

It is up to the user to provide a useful default host which is providing a useful hint if the host is unknown.

In the future will allow to leave server.document-root empty and return a 401 if no doc-root is set in a conditional.

#2

Updated by stbuehler almost 11 years ago

  • Status changed from Fixed to Invalid

Also available in: Atom