lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.
lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
openwall.com/lists/oss-security/2008/09/30/1
openwall.com/lists/oss-security/2008/09/30/2
openwall.com/lists/oss-security/2008/09/30/3
secunia.com/advisories/32069
secunia.com/advisories/32132
secunia.com/advisories/32480
secunia.com/advisories/32834
secunia.com/advisories/32972
security.gentoo.org/glsa/glsa-200812-04.xml
trac.lighttpd.net/trac/changeset/2278
trac.lighttpd.net/trac/changeset/2307
trac.lighttpd.net/trac/changeset/2309
trac.lighttpd.net/trac/changeset/2310
trac.lighttpd.net/trac/ticket/1720
wiki.rpath.com/Advisories:rPSA-2008-0309
wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
www.debian.org/security/2008/dsa-1645
www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
www.lighttpd.net/security/lighttpd_sa_2008_05.txt
www.securityfocus.com/archive/1/497932/100/0/threaded
www.securityfocus.com/bid/31599
www.vupen.com/english/advisories/2008/2741
exchange.xforce.ibmcloud.com/vulnerabilities/45690