Lighttpd Remote CGI Script Disclosure Vulnerability
BID:12567
Info
Lighttpd Remote CGI Script Disclosure Vulnerability
| Bugtraq ID: | 12567 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 15 2005 12:00AM |
| Updated: | Feb 15 2005 12:00AM |
| Credit: | The vendor announced this vulnerability. |
| Vulnerable: |
lighttpd lighttpd 1.3.7 Gentoo Linux |
| Not Vulnerable: |
lighttpd lighttpd 1.3.10 lighttpd lighttpd 1.3.8 |
Discussion
Lighttpd Remote CGI Script Disclosure Vulnerability
lighttpd is reported prone to an information disclosure vulnerability.
Reports indicate that a NULL sequence appended to the filename of a CGI or FastCGI script will result in the script contents being served to the requestor.
Information that is harvested by exploiting this vulnerability may be used to aid in further attacks launched against the target computer.
This vulnerability is reported to affect lighttpd 1.3.7 and previous versions.
lighttpd is reported prone to an information disclosure vulnerability.
Reports indicate that a NULL sequence appended to the filename of a CGI or FastCGI script will result in the script contents being served to the requestor.
Information that is harvested by exploiting this vulnerability may be used to aid in further attacks launched against the target computer.
This vulnerability is reported to affect lighttpd 1.3.7 and previous versions.
Exploit / POC
Lighttpd Remote CGI Script Disclosure Vulnerability
No exploit is required.
No exploit is required.
Solution / Fix
Lighttpd Remote CGI Script Disclosure Vulnerability
Solution:
The vendor has released version 1.3.10 to address this vulnerability.
Gentoo Linux has released an advisory (GLSA 200502-21) and an updated eBuild to address this vulnerability on Gentoo Linux based computers. A Gentoo user may apply the fix by issuing the following sequence of commands as a superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.3.10-r1"
lighttpd lighttpd 1.3.7
Solution:
The vendor has released version 1.3.10 to address this vulnerability.
Gentoo Linux has released an advisory (GLSA 200502-21) and an updated eBuild to address this vulnerability on Gentoo Linux based computers. A Gentoo user may apply the fix by issuing the following sequence of commands as a superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=www-servers/lighttpd-1.3.10-r1"
lighttpd lighttpd 1.3.7
-
lighttpd lighttpd 1.3.10
http://www.lighttpd.net/download/
References
Lighttpd Remote CGI Script Disclosure Vulnerability
References:
References:
- lighttpd Home Page (lighttpd)
- SECURITY: script exposure in lighttpd 1.3.7 and below (Jan Kneschke
kneschke.de>)