Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2008-4360

Disclosure Date: October 03, 2008
CVE-2008-4360
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • lighttpd

Products

  • debian linux 4.0,
  • lighttpd

References

Canonical
CVE-2008-4360 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4360)
BID-31600 (http://www.securityfocus.com/bid/31600)
Advisory
SECUNIA-32069 (http://secunia.com/advisories/32069)
http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch
SECUNIA-32972 (http://secunia.com/advisories/32972)
http://wiki.rpath.com/Advisories:rPSA-2008-0309
SECUNIA-32834 (http://secunia.com/advisories/32834)
http://trac.lighttpd.net/trac/changeset/2283
XF-lighttpd-moduserdir-info-disclosure(45689) (https://exchange.xforce.ibmcloud.com/vulnerabilities/45689)
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
SECUNIA-32132 (http://secunia.com/advisories/32132)
http://trac.lighttpd.net/trac/changeset/2308
[oss-security] 20080930 Re: CVE request: lighttpd issues (http://openwall.com/lists/oss-security/2008/09/30/1)
20081030 rPSA-2008-0309-1 lighttpd (http://www.securityfocus.com/archive/1/497932/100/0/threaded)
ADV-2008-2741 (http://www.vupen.com/english/advisories/2008/2741)
DSA-1645 (http://www.debian.org/security/2008/dsa-1645)
[oss-security] 20080930 Re: Re: CVE request: lighttpd issues (http://openwall.com/lists/oss-security/2008/09/30/3)
[oss-security] 20080930 Re: CVE request: lighttpd issues (http://openwall.com/lists/oss-security/2008/09/30/2)
SECUNIA-32480 (http://secunia.com/advisories/32480)
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
http://trac.lighttpd.net/trac/ticket/1589
GLSA-200812-04 (http://security.gentoo.org/glsa/glsa-200812-04.xml)
http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis