The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition.

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.28. Therefore, it may be, affected by the following vulnerability :

 - The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.28. Therefore, it may be, affected by the following vulnerability :

  - The configuration file for the FastCGI PHP support for lighttpd     before 1.4.28 on Debian GNU/Linux creates a socket file with a     predictable name in /tmp, which allows local users to hijack the     PHP control socket and perform unauthorized actions such as forcing     the use of a different version of PHP via a symlink attack or a     race condition.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Solaris system is missing necessary patches to address security updates :

  - lighttpd before 1.4.26, and 1.5.x, allocates a buffer     for each read operation that occurs for a request, which     allows remote attackers to cause a denial of service     (memory consumption) by breaking a request into small     pieces that are sent at a slow rate. (CVE-2010-0295)

  - The configuration file for the FastCGI PHP support for     lighthttpd before 1.4.28 on Debian GNU/Linux creates a     socket file with a predictable name in /tmp, which     allows local users to hijack the PHP control socket and     perform unauthorized actions such as forcing the use of     a different version of PHP via a symlink attack or a     race condition. (CVE-2013-1427)

  - Unspecified vulnerability in Lighthttpd in Oracle     Solaris 11.1 allows attackers to cause a denial of     service via unknown vectors. (CVE-2014-2469)

Stefan Buhler discovered that the Debian specific configuration file for lighttpd webserver FastCGI PHP support used a fixed socket name in the world-writable /tmp directory. A symlink attack or a race condition could be exploited by a malicious user on the same machine to take over the PHP control socket and for example force the webserver to use a different PHP version.

As the fix is in a configuration file lying in /etc, the update won't be enforced if the file has been modified by the administrator. In that case, care should be taken to manually apply the fix.

ID	Name	Product	Family	Severity
112354	lighttpd < 1.4.28 Insecure Temporary File Creation	Web App Scanning	Component Vulnerability	high
106626	lighttpd < 1.4.28 Insecure Temporary File Creation	Nessus	Web Servers	low
80699	Oracle Solaris Third-Party Patch Update : lighttpd (cve_2014_2469_denial_of)	Nessus	Solaris Local Security Checks	medium
65585	Debian DSA-2649-1 : lighttpd - fixed socket name in world-writable directory	Nessus	Debian Local Security Checks	low

Detections

Analytics

CVE-2013-1427

high

Tenable Plugins

high

low

medium

low