lighttpd -- script source disclosure vulnerability

ID BDAD9ADA-8A52-11D9-9E53-000A95BC6FAE
Type freebsd
Reporter FreeBSD
Modified 2005-02-12T00:00:00


The lighttpd website reports:

In lighttpd 1.3.7 and below it is possible to fetch the source files which should be handled by CGI or FastCGI applications.

The vulnerability is in the handling of urlencoded trailing NUL bytes. Installations that do not use CGI or FastCGI are not affected.