Project

General

Profile

Actions

Bug #1165

closed

Security Problem using string equal match (==) on $HTTP["host"] Configuration

Added by Anonymous almost 17 years ago. Updated over 15 years ago.

Status:
Invalid
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

Using a $HTTPhost Virtual Configuration with the string equal match ( == )like


$HTTP["host"] '''==''' "domain.tld" 

ocours in a security problem when use this url in a browser with a subdomain prefix like


http://'''xyz'''.domain.tld

lighthttpd fall back to the server.document.root path and show all folders, doesnt matter if dir-listing.activate is disabled. A bigger security problem is that the authentification method (auth.require) dont work more for specific folders once set.

As workaround you should use the perl style regular expression match (=~)for $HTTPhost Configurations.

Maybe this problem occurs with oder kind of $HTTP Configuration but i still dont try.

PS. thx for your work on lighttpd. You do a great job !

-- admin

Actions #1

Updated by jan almost 17 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid

I don't see the problem here. The string-match does what it advertises.

It is up to the user to provide a useful default host which is providing a useful hint if the host is unknown.

In the future will allow to leave server.document-root empty and return a 401 if no doc-root is set in a conditional.

Actions #2

Updated by stbuehler over 15 years ago

  • Status changed from Fixed to Invalid
Actions

Also available in: Atom