CVE-2008-1270 when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable

Bug #200987 reported by Emanuele Gentili on 2008-03-11
264
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Medium
Emanuele Gentili
Dapper
Medium
Emanuele Gentili
Edgy
Medium
Emanuele Gentili
Feisty
Medium
Emanuele Gentili
Gutsy
Medium
Emanuele Gentili
Hardy
Medium
Emanuele Gentili

Bug Description

mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.

http://trac.lighttpd.net/trac/ticket/1587
http://trac.lighttpd.net/trac/changeset/2120

Emanuele Gentili (emgent) wrote :
Stephan Ruegamer (sadig) on 2008-03-11
Changed in lighttpd:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: Confirmed → In Progress
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.18-1ubuntu6

---------------
lighttpd (1.4.18-1ubuntu6) hardy; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

 -- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:16:48 +0100

Changed in lighttpd:
status: In Progress → Fix Released
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: Confirmed → In Progress
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: Confirmed → In Progress
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: Confirmed → In Progress
Emanuele Gentili (emgent) wrote :

adding CVE-2008-0983

lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.

Changed in lighttpd:
status: Fix Released → In Progress

hardy not vulnerable to CVE-2008-0983

Changed in lighttpd:
status: In Progress → Fix Released
Emanuele Gentili (emgent) wrote :

CVE-2008-0983 fixed in all Ubuntu version by 90_maxfds_crash_fix.dpatch, plese procede to upload attached debdiff.

Changed in lighttpd:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.18-1ubuntu1.3

---------------
lighttpd (1.4.18-1ubuntu1.3) gutsy-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

 -- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:37:58 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.13-9ubuntu4.5

---------------
lighttpd (1.4.13-9ubuntu4.5) feisty-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

 -- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:51:11 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

lighttpd (1.4.13~r1370-1ubuntu1.6) edgy-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

 -- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:58:14 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

lighttpd (1.4.11-3ubuntu3.8) dapper-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

 -- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 15:03:17 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.