CVE-2008-4360

Description

mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.

How to fix CVE-2008-4360

To remediate CVE-2008-4360, upgrade the affected package to a fixed version below.

• Debian/lighttpd—upgrade to 1.4.19-5 or later

Is CVE-2008-4360 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.4.19-5

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2008-4360