Description: Some security issues have been reported in lighttpd, which can be exploited by malicious people to disclose potentially sensitive information.
1) A security issue is caused due to an error in mod_cgi, which can lead to the disclosure of source code when lighttpd is unable to fork.
2) A security issue is caused due to the mod_userdir module using "$HOME" by default if no userdir.path is set. This can be exploited to disclose the content of arbitrary files on certain systems via e.g. the "nobody" user.
The security issues are reported in version 1.4.18.
Solution: Update to version 1.4.19.
Provided and/or discovered by: 1) Reported in a Gentoo bug.
2) Reported in a bug by Julien Cayzac
Changelog: 2008-03-11: Added vulnerability #2 and updated "Solution" and "Original Advisory" section.
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.