Description
mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.
Remediation
References
Related Vulnerabilities
Jboss EAP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-4112)
WordPress Plugin Email Verification for WooCommerce Unspecified Vulnerability (1.8.1)
WordPress Plugin Custom Content Type Manager Remote Code Execution (0.9.8.5)
WordPress Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2012-3384)