Lighttpd Exposure of Sensitive Information to an Unauthorized Actor Vulnerability - CVE-2008-4360

mod_userdir in lighttpd before 1.4.20 when a case-insensitive operating system or filesystem is used performs case-sensitive comparisons on filename components in configuration options which might allow remote attackers to bypass intended access restrictions as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.