Package: lighttpd
Version: 1.4.19-5
Followup-For: Bug #499334
The fix allows CGI execution only from localhost. If you enabled cgi module you
probably don't want it to work only from localhost.
The Apache package also enables it for "anybody"
The attached patch should fix this.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (200, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages lighttpd depends on:
ii libattr1 1:2.4.43-1 Extended attribute shared library
ii libbz2-1.0 1.0.5-1 high-quality block-sorting file co
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libfam0 2.7.0-13.3 Client library to control the FAM
ii libldap-2.4-2 2.4.10-3 OpenLDAP libraries
ii libpcre3 7.6-2.1 Perl 5 Compatible Regular Expressi
ii libssl0.9.8 0.9.8g-13 SSL shared libraries
ii libterm-readline-perl- 1.0302-1 Perl implementation of Readline li
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii mime-support 3.44-1 MIME files 'mime.types' & 'mailcap
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
lighttpd recommends no packages.
Versions of packages lighttpd suggests:
pn apache2-utils <none> (no description available)
ii openssl 0.9.8g-13 Secure Socket Layer (SSL) binary a
ii rrdtool 1.3.1-4 Time-series data storage and displ
-- no debconf information
--- 10-cgi.conf.orig 2008-10-03 23:18:47.000000000 -0300
+++ 10-cgi.conf 2008-10-03 23:20:01.000000000 -0300
@@ -6,12 +6,7 @@
server.modules += ( "mod_cgi" )
-$HTTP["remoteip"] =~ "127.0.0.1" {
- alias.url += ( "/cgi-bin/" => "/usr/lib/cgi-bin/" )
- $HTTP["url"] =~ "^/cgi-bin/" {
- cgi.assign = ( "" => "" )
- }
-}
+alias.url += ( "/cgi-bin/" => "/usr/lib/cgi-bin/" )
$HTTP["url"] =~ "^/cgi-bin/" {
cgi.assign = ( "" => "" )
