Launchpad.net

CVE 2008-1270

mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.

Related bugs and status

CVE-2008-1270 (Candidate) is related to these bugs:

Bug #200987: CVE-2008-1270 when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable

		In	Importance	Status
200987	CVE-2008-1270 when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable	lighttpd (Ubuntu)	Medium	Fix Released
200987	CVE-2008-1270 when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable	lighttpd (Ubuntu Dapper)	Medium	Fix Released
200987	CVE-2008-1270 when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable	lighttpd (Ubuntu Edgy)	Medium	Fix Released
200987	CVE-2008-1270 when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable	lighttpd (Ubuntu Feisty)	Medium	Fix Released
200987	CVE-2008-1270 when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable	lighttpd (Ubuntu Gutsy)	Medium	Fix Released
200987	CVE-2008-1270 when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable	lighttpd (Ubuntu Hardy)	Medium	Fix Released

Bug #201439: [FFe] lighttpd 1.4.19

Summary				In	Importance	Status
	201439	[FFe] lighttpd 1.4.19		lighttpd (Ubuntu)	Wishlist	Fix Released

Bug #203459: [lighttpd] [CVE-2008-1270] arbitrary file disclosure

Summary				In	Importance	Status
	203459	[lighttpd] [CVE-2008-1270] arbitrary file disclosure		lighttpd (Ubuntu)	Undecided	New

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2008-1270

Related bugs and status

Related bugs

References