Vulnerabilities > CVE-2013-1427 - Cryptographic Issues vulnerability in Lighttpd
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Web Servers NASL id LIGHTTPD_1_4_28.NASL description According to its banner, the version of lighttpd running on the remote host is prior to 1.4.28. Therefore, it may be, affected by the following vulnerability : - The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 106626 published 2018-02-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106626 title lighttpd < 1.4.28 Insecure Temporary File Creation NASL family Solaris Local Security Checks NASL id SOLARIS11_LIGHTTPD_20140721.NASL description The remote Solaris system is missing necessary patches to address security updates : - lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. (CVE-2010-0295) - The configuration file for the FastCGI PHP support for lighthttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition. (CVE-2013-1427) - Unspecified vulnerability in Lighthttpd in Oracle Solaris 11.1 allows attackers to cause a denial of service via unknown vectors. (CVE-2014-2469) last seen 2020-06-01 modified 2020-06-02 plugin id 80699 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80699 title Oracle Solaris Third-Party Patch Update : lighttpd (cve_2014_2469_denial_of) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2649.NASL description Stefan Buhler discovered that the Debian specific configuration file for lighttpd webserver FastCGI PHP support used a fixed socket name in the world-writable /tmp directory. A symlink attack or a race condition could be exploited by a malicious user on the same machine to take over the PHP control socket and for example force the webserver to use a different PHP version. As the fix is in a configuration file lying in /etc, the update won last seen 2020-03-17 modified 2013-03-17 plugin id 65585 published 2013-03-17 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65585 title Debian DSA-2649-1 : lighttpd - fixed socket name in world-writable directory
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 58528 CVE(CAN) ID: CVE-2013-1427 Lighttpd是一款轻型的开放源码Web Server软件包。 lighttpd在实现上存在不安全的临时文件创建漏洞,本地攻击者可利用此漏洞在受影响应用中执行符号链接攻击,覆盖任意文件。 0 Lighttpd 厂商补丁: Debian ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.debian.org/security/ |
| id | SSV:60681 |
| last seen | 2017-11-19 |
| modified | 2013-03-19 |
| published | 2013-03-19 |
| reporter | Root |
| title | lighttpd不安全临时文件创建漏洞(CVE-2013-1427) |
References
- http://osvdb.org/91462
- http://osvdb.org/91462
- http://www.debian.org/security/2013/dsa-2649
- http://www.debian.org/security/2013/dsa-2649
- http://www.securityfocus.com/bid/58528
- http://www.securityfocus.com/bid/58528
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82897
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82897