LiteSpeed Web Server Source Code Information Disclosure

medium Nessus Plugin ID 48246

Synopsis

The remote web server is affected by a source code disclosure vulnerability.

Description

The installed version of the LiteSpeed web server software on the remote host returns the source of scripts hosted on it when a NULL byte and '.txt' is appended to the request URL.

A remote attacker may be able to leverage this issue to view a file on the web server's source code and possibly obtain passwords and other sensitive information from this host.

Solution

Upgrade to LiteSpeed version 4.0.15 or later.

See Also

https://seclists.org/fulldisclosure/2010/Jun/288

http://www.nessus.org/u?07c5c34e

Plugin Details

Severity: Medium

ID: 48246

File Name: litespeed_poison_null_byte.nasl

Version: 1.13

Type: remote

Family: Web Servers

Published: 8/4/2010

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

Required KB Items: www/PHP

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 6/13/2010

Vulnerability Publication Date: 6/12/2010

Reference Information

CVE: CVE-2010-2333

BID: 40815

Secunia: 40128