Vulnerabilities > CVE-2007-3950 - Unspecified vulnerability in Lighttpd

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
lighttpd
nessus

Summary

lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules. Vendor has released upgrade for vulnerability: http://trac.lighttpd.net/trac/

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1362.NASL
    descriptionSeveral vulnerabilities were discovered in lighttpd, a fast webserver with minimal memory footprint, which could allow the execution of arbitrary code via the overflow of CGI variables when mod_fcgi was enabled. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3946 The use of mod_auth could leave to a denial of service attack crashing the webserver. - CVE-2007-3947 The improper handling of repeated HTTP headers could cause a denial of service attack crashing the webserver. - CVE-2007-3949 A bug in mod_access potentially allows remote users to bypass access restrictions via trailing slash characters. - CVE-2007-3950 On 32-bit platforms users may be able to create denial of service attacks, crashing the webserver, via mod_webdav, mod_fastcgi, or mod_scgi.
    last seen2020-06-01
    modified2020-06-02
    plugin id25962
    published2007-09-03
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25962
    titleDebian DSA-1362-2 : lighttpd - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1362. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(25962);
      script_version("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2007-2841", "CVE-2007-3946", "CVE-2007-3947", "CVE-2007-3948", "CVE-2007-3949", "CVE-2007-3950", "CVE-2007-4727");
      script_xref(name:"DSA", value:"1362");
    
      script_name(english:"Debian DSA-1362-2 : lighttpd - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities were discovered in lighttpd, a fast webserver
    with minimal memory footprint, which could allow the execution of
    arbitrary code via the overflow of CGI variables when mod_fcgi was
    enabled. The Common Vulnerabilities and Exposures project identifies
    the following problems :
    
      - CVE-2007-3946
        The use of mod_auth could leave to a denial of service
        attack crashing the webserver.
    
      - CVE-2007-3947
        The improper handling of repeated HTTP headers could
        cause a denial of service attack crashing the webserver.
    
      - CVE-2007-3949
        A bug in mod_access potentially allows remote users to
        bypass access restrictions via trailing slash
        characters.
    
      - CVE-2007-3950
        On 32-bit platforms users may be able to create denial
        of service attacks, crashing the webserver, via
        mod_webdav, mod_fastcgi, or mod_scgi."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434888"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-3946"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-3947"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-3949"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-3950"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2007/dsa-1362"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the lighttpd package.
    
    For the stable distribution (etch), these problems have been fixed in
    version 1.4.13-4etch4."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:lighttpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/08/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/09/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"lighttpd", reference:"1.4.13-4etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"lighttpd-doc", reference:"1.4.13-4etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"lighttpd-mod-cml", reference:"1.4.13-4etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"lighttpd-mod-magnet", reference:"1.4.13-4etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"lighttpd-mod-mysql-vhost", reference:"1.4.13-4etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"lighttpd-mod-trigger-b4-dl", reference:"1.4.13-4etch4")) flag++;
    if (deb_check(release:"4.0", prefix:"lighttpd-mod-webdav", reference:"1.4.13-4etch4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_FC9C217E379111DCBB1A000FEA449B8A.NASL
    descriptionSecunia Advisory reports : Some vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service).
    last seen2020-06-01
    modified2020-06-02
    plugin id25788
    published2007-07-27
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25788
    titleFreeBSD : lighttpd -- multiple vulnerabilities (fc9c217e-3791-11dc-bb1a-000fea449b8a)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(25788);
      script_version("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:39");
    
      script_cve_id("CVE-2007-3947", "CVE-2007-3948", "CVE-2007-3949", "CVE-2007-3950");
    
      script_name(english:"FreeBSD : lighttpd -- multiple vulnerabilities (fc9c217e-3791-11dc-bb1a-000fea449b8a)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Secunia Advisory reports :
    
    Some vulnerabilities have been reported in lighttpd, which can be
    exploited by malicious people to bypass certain security restrictions
    or cause a DoS (Denial of Service)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://trac.lighttpd.net/trac/ticket/1216"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://trac.lighttpd.net/trac/ticket/1232"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://trac.lighttpd.net/trac/ticket/1230"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://trac.lighttpd.net/trac/ticket/1263"
      );
      # https://vuxml.freebsd.org/freebsd/fc9c217e-3791-11dc-bb1a-000fea449b8a.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ea2b217c"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:lighttpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/07/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"lighttpd<1.4.15_1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_LIGHTTPD-3985.NASL
    descriptionMultiple bugs in lighttpd allowed remote attackers to crash lighttpd, circumvent access restricions or even execute code. (CVE-2007-3946, CVE-2007-3947, CVE-2007-3948, CVE-2007-3949, CVE-2007-3950)
    last seen2020-06-01
    modified2020-06-02
    plugin id27340
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27340
    titleopenSUSE 10 Security Update : lighttpd (lighttpd-3985)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update lighttpd-3985.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27340);
      script_version ("1.13");
      script_cvs_date("Date: 2019/10/25 13:36:30");
    
      script_cve_id("CVE-2007-3946", "CVE-2007-3947", "CVE-2007-3948", "CVE-2007-3949", "CVE-2007-3950");
    
      script_name(english:"openSUSE 10 Security Update : lighttpd (lighttpd-3985)");
      script_summary(english:"Check for the lighttpd-3985 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple bugs in lighttpd allowed remote attackers to crash lighttpd,
    circumvent access restricions or even execute code. (CVE-2007-3946,
    CVE-2007-3947, CVE-2007-3948, CVE-2007-3949, CVE-2007-3950)"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected lighttpd package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lighttpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/07/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.1|SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1 / 10.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.1", reference:"lighttpd-1.4.10-11.11") ) flag++;
    if ( rpm_check(release:"SUSE10.2", reference:"lighttpd-1.4.13-41.4") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lighttpd");
    }
    
  • NASL familyWeb Servers
    NASL idLIGHTTPD_1_4_16.NASL
    descriptionAccording to its banner, the version of lighttpd running on the remote host is prior to 1.4.16. It is, therefore, affected by multiple vulnerabilities : - mod_auth allows remote attackers to cause a denial of service via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header. (CVE-2007-3946) - The server allows remote attackers to cause a denial of service by sending an HTTP request with duplicate headers. (CVE-2007-3947) - The server might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service via a large number of connection attempts. (CVE-2007-3948) - mod_access ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings (CVE-2007-3949) - The server, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules. (CVE-2007-3950) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id106623
    published2018-02-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106623
    titlelighttpd < 1.4.16 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106623);
      script_version("1.3");
      script_cvs_date("Date: 2019/11/08");
    
      script_cve_id(
        "CVE-2007-3946",
        "CVE-2007-3947",
        "CVE-2007-3948",
        "CVE-2007-3949",
        "CVE-2007-3950"
      );
      script_bugtraq_id(24967);
    
      script_name(english:"lighttpd < 1.4.16 Multiple Vulnerabilities");
      script_summary(english:"Checks version in Server response header.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of lighttpd running on the remote
    host is prior to 1.4.16. It is, therefore, affected by multiple
    vulnerabilities :
    
      - mod_auth allows remote attackers to cause a denial of service
        via unspecified vectors involving (1) a memory leak, (2) use
        of md5-sess without a cnonce, (3) base64 encoded strings, and
        (4) trailing whitespace in the Auth-Digest header.
        (CVE-2007-3946)
    
      - The server allows remote attackers to cause a denial of
        service by sending an HTTP request with duplicate headers.
        (CVE-2007-3947)
    
      - The server might accept more connections than the configured
        maximum, which allows remote attackers to cause a denial of
        service via a large number of connection attempts.
        (CVE-2007-3948)
    
      - mod_access ignores trailing / (slash) characters in the URL,
        which allows remote attackers to bypass url.access-deny settings
        (CVE-2007-3949)
    
      - The server, when run on 32 bit platforms, allows remote attackers
        to cause a denial of service (daemon crash) via unspecified vectors
        involving the use of incompatible format specifiers in certain
        debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and
        (3) mod_webdav modules. (CVE-2007-3950)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to lighttpd version 1.4.16 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/06");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:lighttpd:lighttpd");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("lighttpd_detect.nasl");
      script_require_keys("installed_sw/lighttpd", "Settings/ParanoidReport");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("vcf.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    appname = "lighttpd";
    get_install_count(app_name:appname, exit_if_zero:TRUE);
    port = get_http_port(default:80);
    app_info = vcf::get_app_info(app:appname, port:port, webapp:TRUE);
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    constraints = [{"fixed_version":"1.4.16"}];
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200708-11.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200708-11 (Lighttpd: Multiple vulnerabilities) Stefan Esser discovered errors with evidence of memory corruption in the code parsing the headers. Several independent researchers also reported errors involving the handling of HTTP headers, the mod_auth and mod_scgi modules, and the limitation of active connections. Impact : A remote attacker can trigger any of these vulnerabilities by sending malicious data to the server, which may lead to a crash or memory exhaustion, and potentially the execution of arbitrary code. Additionally, access-deny settings can be evaded by appending a final / to a URL. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id25917
    published2007-08-21
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25917
    titleGLSA-200708-11 : Lighttpd: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200708-11.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(25917);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:44");
    
      script_cve_id("CVE-2007-3946", "CVE-2007-3947", "CVE-2007-3948", "CVE-2007-3949", "CVE-2007-3950");
      script_xref(name:"GLSA", value:"200708-11");
    
      script_name(english:"GLSA-200708-11 : Lighttpd: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200708-11
    (Lighttpd: Multiple vulnerabilities)
    
        Stefan Esser discovered errors with evidence of memory corruption in
        the code parsing the headers. Several independent researchers also
        reported errors involving the handling of HTTP headers, the mod_auth
        and mod_scgi modules, and the limitation of active connections.
      
    Impact :
    
        A remote attacker can trigger any of these vulnerabilities by sending
        malicious data to the server, which may lead to a crash or memory
        exhaustion, and potentially the execution of arbitrary code.
        Additionally, access-deny settings can be evaded by appending a final /
        to a URL.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200708-11"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Lighttpd users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=www-servers/lighttpd-1.4.16'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:lighttpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/08/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/08/21");
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-servers/lighttpd", unaffected:make_list("ge 1.4.16"), vulnerable:make_list("lt 1.4.16"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Lighttpd");
    }