Package: lighttpd Version: 1.4.13~r1385-1 Severity: important Tags: patch
Hi In /etc/lighttpd/lighttpd.conf the only condition for the /doc/ and /images/ aliases is the host variable. These URLs could easily be reached with a faked HTTP-Header. My patch also activates directory listing only for the /doc/ and /images/ URLs. Getting a forbidden directory listing with a faked header was possible before. Regards Adrian -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-1-686 Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8) Versions of packages lighttpd depends on: ii libattr1 2.4.32-1 Extended attribute shared library ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries ii libldap2 2.1.30-13+b1 OpenLDAP libraries ii libpcre3 6.7-1 Perl 5 Compatible Regular Expressi ii libssl0.9.8 0.9.8c-3 SSL shared libraries ii lsb-base 3.1-17 Linux Standard Base 3.1 init scrip ii mime-support 3.37-1 MIME files 'mime.types' & 'mailcap ii zlib1g 1:1.2.3-13 compression library - runtime Versions of packages lighttpd recommends: ii php4-cgi 4:4.4.4-3 server-side, HTML-embedded scripti ii php5-cgi 5.1.6-4 server-side, HTML-embedded scripti -- no debconf information
--- debian/lighttpd.conf 2006-10-13 14:19:53.000000000 +0200 +++ debian/lighttpd.conf 2006-10-14 03:03:28.000000000 +0200 @@ -125,12 +125,14 @@ #### handle Debian Policy Manual, Section 11.5. urls #### and by default allow them only from localhost -$HTTP["host"] == "localhost" { +$HTTP["remoteip"] =~ "127.0.0.1" { alias.url += ( "/doc/" => "/usr/share/doc/", "/images/" => "/usr/share/images/" ) - dir-listing.activate = "enable" + $HTTP["url"] =~ "^/doc/|^/images/" { + dir-listing.activate = "enable" + } } #### variable usage: