Bertrand, thanks for the pointer, I saw that one already and I don't think it should be considered a vulnerability. It's a bug that lighty does not handle this situation more gracefully, but I don't see how an attacker could gain something by "exploiting" this bug.
After setting up lighty or making config changes, one will immediately (after trying to send a request) see that the new config is wrong (as lighty crashes).
Or... expressed differently: No working site will have such a config and as such nobody can exploit it.
At least that's my interpretation. =)
Bertrand, thanks for the pointer, I saw that one already and I don't think it should be considered a vulnerability. It's a bug that lighty does not handle this situation more gracefully, but I don't see how an attacker could gain something by "exploiting" this bug.
After setting up lighty or making config changes, one will immediately (after trying to send a request) see that the new config is wrong (as lighty crashes).
Or... expressed differently: No working site will have such a config and as such nobody can exploit it.
At least that's my interpretation. =)