The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension.
Max CVSS
5.0
EPSS Score
0.38%
Published
2005-02-16
Updated
2008-09-05
1 vulnerabilities found