mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.

The remote Ubuntu 16.04 ESM / 18.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4775-1 advisory.

    It was discovered that Lighttpd did not properly sanitized the string used in basic HTTP authentication     method. A remote attacker could use this to inject arbitrary log entries and maybe obtain sensitive     information. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2015-3200)

    It was discovered that Lighttpd did not properly sanitized the string used in alias. A remote attacker     could use this to access the content of the directory above the alias and obtain sensitive information.
    (CVE-2018-19052)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.36. It is, therefore, affected by mod_auth vulnerability that allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.36. It is, therefore, affected by the following vulnerabilities :

  - mod_auth in lighttpd before 1.4.36 allows remote attackers     to inject arbitrary log entries via a basic HTTP authentication     string without a colon character, as demonstrated by a string     containing a NULL and new line character.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

MITRE reports :

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.

Latest upstream security release :

http://www.lighttpd.net/2015/7/26/1.4.36/

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
183126	Ubuntu 16.04 ESM / 18.04 ESM : Lighttpd vulnerabilities (USN-4775-1)	Nessus	Ubuntu Local Security Checks	high
112359	lighttpd < 1.4.36 mod_auth Arbitrary Log Entries Injection	Web App Scanning	Component Vulnerability	high
106627	lighttpd < 1.4.36 Multiple Vulnerabilities	Nessus	Web Servers	high
85319	FreeBSD : lighttpd -- Log injection vulnerability in mod_auth (dd7f29cc-3ee9-11e5-93ad-002590263bf5)	Nessus	FreeBSD Local Security Checks	high
85290	Fedora 22 : lighttpd-1.4.36-1.fc22 (2015-12252)	Nessus	Fedora Local Security Checks	high
85289	Fedora 21 : lighttpd-1.4.36-1.fc21 (2015-12250)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2015-3200

high

Tenable Plugins

high

high

high

high

high

high