Posted this on the lighty forum (http://forum.lighttpd.net/topic/1247)
While scanning my server (lighttpd 1.4.11 win32) for exploits I noticed
that /..\etc\lighttpd.conf would load up the servers config file. I have
the default config with mods rewrite, access, cgi, secdownload, and
accesslog. This should not be happening.
To help with this problem while this is looked into I have added a url
rewrite.
url.rewrite-once = ( "/(.*)\.\.(.*)$" => "/" )
This rule should stop any one from using ".." in the url.
I do hope that someone has an answer to this or maybe its an over looked
bug in the windows fork.
