Vulnerabilities > CVE-2007-3950 - Unspecified vulnerability in Lighttpd
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules. Vendor has released upgrade for vulnerability: http://trac.lighttpd.net/trac/
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1362.NASL description Several vulnerabilities were discovered in lighttpd, a fast webserver with minimal memory footprint, which could allow the execution of arbitrary code via the overflow of CGI variables when mod_fcgi was enabled. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3946 The use of mod_auth could leave to a denial of service attack crashing the webserver. - CVE-2007-3947 The improper handling of repeated HTTP headers could cause a denial of service attack crashing the webserver. - CVE-2007-3949 A bug in mod_access potentially allows remote users to bypass access restrictions via trailing slash characters. - CVE-2007-3950 On 32-bit platforms users may be able to create denial of service attacks, crashing the webserver, via mod_webdav, mod_fastcgi, or mod_scgi. last seen 2020-06-01 modified 2020-06-02 plugin id 25962 published 2007-09-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25962 title Debian DSA-1362-2 : lighttpd - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1362. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(25962); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2007-2841", "CVE-2007-3946", "CVE-2007-3947", "CVE-2007-3948", "CVE-2007-3949", "CVE-2007-3950", "CVE-2007-4727"); script_xref(name:"DSA", value:"1362"); script_name(english:"Debian DSA-1362-2 : lighttpd - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in lighttpd, a fast webserver with minimal memory footprint, which could allow the execution of arbitrary code via the overflow of CGI variables when mod_fcgi was enabled. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3946 The use of mod_auth could leave to a denial of service attack crashing the webserver. - CVE-2007-3947 The improper handling of repeated HTTP headers could cause a denial of service attack crashing the webserver. - CVE-2007-3949 A bug in mod_access potentially allows remote users to bypass access restrictions via trailing slash characters. - CVE-2007-3950 On 32-bit platforms users may be able to create denial of service attacks, crashing the webserver, via mod_webdav, mod_fastcgi, or mod_scgi." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434888" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-3946" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-3947" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-3949" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-3950" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2007/dsa-1362" ); script_set_attribute( attribute:"solution", value: "Upgrade the lighttpd package. For the stable distribution (etch), these problems have been fixed in version 1.4.13-4etch4." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:lighttpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/09/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"lighttpd", reference:"1.4.13-4etch4")) flag++; if (deb_check(release:"4.0", prefix:"lighttpd-doc", reference:"1.4.13-4etch4")) flag++; if (deb_check(release:"4.0", prefix:"lighttpd-mod-cml", reference:"1.4.13-4etch4")) flag++; if (deb_check(release:"4.0", prefix:"lighttpd-mod-magnet", reference:"1.4.13-4etch4")) flag++; if (deb_check(release:"4.0", prefix:"lighttpd-mod-mysql-vhost", reference:"1.4.13-4etch4")) flag++; if (deb_check(release:"4.0", prefix:"lighttpd-mod-trigger-b4-dl", reference:"1.4.13-4etch4")) flag++; if (deb_check(release:"4.0", prefix:"lighttpd-mod-webdav", reference:"1.4.13-4etch4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_FC9C217E379111DCBB1A000FEA449B8A.NASL description Secunia Advisory reports : Some vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). last seen 2020-06-01 modified 2020-06-02 plugin id 25788 published 2007-07-27 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25788 title FreeBSD : lighttpd -- multiple vulnerabilities (fc9c217e-3791-11dc-bb1a-000fea449b8a) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(25788); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:39"); script_cve_id("CVE-2007-3947", "CVE-2007-3948", "CVE-2007-3949", "CVE-2007-3950"); script_name(english:"FreeBSD : lighttpd -- multiple vulnerabilities (fc9c217e-3791-11dc-bb1a-000fea449b8a)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Secunia Advisory reports : Some vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service)." ); script_set_attribute( attribute:"see_also", value:"http://trac.lighttpd.net/trac/ticket/1216" ); script_set_attribute( attribute:"see_also", value:"http://trac.lighttpd.net/trac/ticket/1232" ); script_set_attribute( attribute:"see_also", value:"http://trac.lighttpd.net/trac/ticket/1230" ); script_set_attribute( attribute:"see_also", value:"http://trac.lighttpd.net/trac/ticket/1263" ); # https://vuxml.freebsd.org/freebsd/fc9c217e-3791-11dc-bb1a-000fea449b8a.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ea2b217c" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:lighttpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/20"); script_set_attribute(attribute:"patch_publication_date", value:"2007/07/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/07/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"lighttpd<1.4.15_1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE_LIGHTTPD-3985.NASL description Multiple bugs in lighttpd allowed remote attackers to crash lighttpd, circumvent access restricions or even execute code. (CVE-2007-3946, CVE-2007-3947, CVE-2007-3948, CVE-2007-3949, CVE-2007-3950) last seen 2020-06-01 modified 2020-06-02 plugin id 27340 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27340 title openSUSE 10 Security Update : lighttpd (lighttpd-3985) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update lighttpd-3985. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27340); script_version ("1.13"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-3946", "CVE-2007-3947", "CVE-2007-3948", "CVE-2007-3949", "CVE-2007-3950"); script_name(english:"openSUSE 10 Security Update : lighttpd (lighttpd-3985)"); script_summary(english:"Check for the lighttpd-3985 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Multiple bugs in lighttpd allowed remote attackers to crash lighttpd, circumvent access restricions or even execute code. (CVE-2007-3946, CVE-2007-3947, CVE-2007-3948, CVE-2007-3949, CVE-2007-3950)" ); script_set_attribute( attribute:"solution", value:"Update the affected lighttpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lighttpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2007/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1|SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1 / 10.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"lighttpd-1.4.10-11.11") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"lighttpd-1.4.13-41.4") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lighttpd"); }
NASL family Web Servers NASL id LIGHTTPD_1_4_16.NASL description According to its banner, the version of lighttpd running on the remote host is prior to 1.4.16. It is, therefore, affected by multiple vulnerabilities : - mod_auth allows remote attackers to cause a denial of service via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header. (CVE-2007-3946) - The server allows remote attackers to cause a denial of service by sending an HTTP request with duplicate headers. (CVE-2007-3947) - The server might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service via a large number of connection attempts. (CVE-2007-3948) - mod_access ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings (CVE-2007-3949) - The server, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules. (CVE-2007-3950) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 106623 published 2018-02-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106623 title lighttpd < 1.4.16 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(106623); script_version("1.3"); script_cvs_date("Date: 2019/11/08"); script_cve_id( "CVE-2007-3946", "CVE-2007-3947", "CVE-2007-3948", "CVE-2007-3949", "CVE-2007-3950" ); script_bugtraq_id(24967); script_name(english:"lighttpd < 1.4.16 Multiple Vulnerabilities"); script_summary(english:"Checks version in Server response header."); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of lighttpd running on the remote host is prior to 1.4.16. It is, therefore, affected by multiple vulnerabilities : - mod_auth allows remote attackers to cause a denial of service via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header. (CVE-2007-3946) - The server allows remote attackers to cause a denial of service by sending an HTTP request with duplicate headers. (CVE-2007-3947) - The server might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service via a large number of connection attempts. (CVE-2007-3948) - mod_access ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings (CVE-2007-3949) - The server, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules. (CVE-2007-3950) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"solution", value: "Upgrade to lighttpd version 1.4.16 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/06"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:lighttpd:lighttpd"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("lighttpd_detect.nasl"); script_require_keys("installed_sw/lighttpd", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("vcf.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); appname = "lighttpd"; get_install_count(app_name:appname, exit_if_zero:TRUE); port = get_http_port(default:80); app_info = vcf::get_app_info(app:appname, port:port, webapp:TRUE); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [{"fixed_version":"1.4.16"}]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200708-11.NASL description The remote host is affected by the vulnerability described in GLSA-200708-11 (Lighttpd: Multiple vulnerabilities) Stefan Esser discovered errors with evidence of memory corruption in the code parsing the headers. Several independent researchers also reported errors involving the handling of HTTP headers, the mod_auth and mod_scgi modules, and the limitation of active connections. Impact : A remote attacker can trigger any of these vulnerabilities by sending malicious data to the server, which may lead to a crash or memory exhaustion, and potentially the execution of arbitrary code. Additionally, access-deny settings can be evaded by appending a final / to a URL. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 25917 published 2007-08-21 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25917 title GLSA-200708-11 : Lighttpd: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200708-11. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(25917); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2007-3946", "CVE-2007-3947", "CVE-2007-3948", "CVE-2007-3949", "CVE-2007-3950"); script_xref(name:"GLSA", value:"200708-11"); script_name(english:"GLSA-200708-11 : Lighttpd: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200708-11 (Lighttpd: Multiple vulnerabilities) Stefan Esser discovered errors with evidence of memory corruption in the code parsing the headers. Several independent researchers also reported errors involving the handling of HTTP headers, the mod_auth and mod_scgi modules, and the limitation of active connections. Impact : A remote attacker can trigger any of these vulnerabilities by sending malicious data to the server, which may lead to a crash or memory exhaustion, and potentially the execution of arbitrary code. Additionally, access-deny settings can be evaded by appending a final / to a URL. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200708-11" ); script_set_attribute( attribute:"solution", value: "All Lighttpd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-servers/lighttpd-1.4.16'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:lighttpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/08/21"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-servers/lighttpd", unaffected:make_list("ge 1.4.16"), vulnerable:make_list("lt 1.4.16"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Lighttpd"); }
References
- http://secunia.com/advisories/26130
- http://secunia.com/advisories/26158
- http://secunia.com/advisories/26505
- http://secunia.com/advisories/26593
- http://security.gentoo.org/glsa/glsa-200708-11.xml
- http://securityreason.com/securityalert/2909
- http://trac.lighttpd.net/trac/changeset/1882
- http://trac.lighttpd.net/trac/ticket/1263
- http://www.debian.org/security/2007/dsa-1362
- http://www.novell.com/linux/security/advisories/2007_15_sr.html
- http://www.securityfocus.com/archive/1/474131/100/0/threaded
- http://www.securityfocus.com/bid/24967
- http://www.vupen.com/english/advisories/2007/2585