Warning --------- This "fix" caused many regressions and was reverted! Bypass rewrite/redirect rules with encoded urls ================================================= Description ------------- lighttpd 1.4.19, and possibly other versions before 1.5.0, does not decode the url before matching against rewrite and redirect patterns, which allows attackers to bypass rewrites rules. this can be a security problem in certain configurations if these rules are used to hide certain urls. http://trac.lighttpd.net/trac/ticket/1720 Affected versions ------------------- all versions before 1.4.20 (1.5 before r2310) Fixed in ---------- 1.4.x: http://trac.lighttpd.net/trac/changeset/2278 (rewrite) 1.4.x: http://trac.lighttpd.net/trac/changeset/2308 (redirect) trunk: http://trac.lighttpd.net/trac/changeset/2307 (rewrite) trunk: http://trac.lighttpd.net/trac/changeset/2310 (redirect) Solutions or Workaround ------------------------- Don't build your security on rewrites. Upgrade to 1.4.20 or apply lighttpd-1.4.x_rewrite_redirect_decode_url.patch This bug is tracked as CVE-2008-4359.