lighttpd maintainer reports :

Lighttpd is prone to a header overflow when using the mod_fastcgi extension, this can lead to arbitrary code execution in the fastcgi application. For a detailed description of the bug see the external reference.

This bug was found by Mattias Bengtsson and Philip Olausson

Lighttpd (1.4.17 and earlier) is prone to a header overflow when using the mod_fastcgi extension, this can lead to arbitrary code execution in the fastcgi application. This 1.4.18 update fixes the issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200710-02 (PHP: Multiple vulnerabilities)

    Several vulnerabilities were found in PHP. Mattias Bengtsson and Philip     Olausson reported integer overflows in the gdImageCreate() and     gdImageCreateTrueColor() functions of the GD library which can cause     heap-based buffer overflows (CVE-2007-3996). Gerhard Wagner discovered     an integer overflow in the chunk_split() function that can lead to a     heap-based buffer overflow (CVE-2007-2872). Its incomplete fix caused     incorrect buffer size calculation due to precision loss, also resulting     in a possible heap-based buffer overflow (CVE-2007-4661 and     CVE-2007-4660). A buffer overflow in the sqlite_decode_binary() of the     SQLite extension found by Stefan Esser that was addressed in PHP 5.2.1     was not fixed correctly (CVE-2007-1887).
    Stefan Esser discovered an error in the zend_alter_ini_entry() function     handling a memory_limit violation (CVE-2007-4659). Stefan Esser also     discovered a flaw when handling interruptions with userspace error     handlers that can be exploited to read arbitrary heap memory     (CVE-2007-1883). Disclosure of sensitive memory can also be triggered     due to insufficient boundary checks in the strspn() and strcspn()     functions, an issue discovered by Mattias Bengtsson and Philip Olausson     (CVE-2007-4657)     Stefan Esser reported incorrect validation in the FILTER_VALIDATE_EMAIL     filter of the Filter extension allowing arbitrary email header     injection (CVE-2007-1900). NOTE: This CVE was referenced, but not fixed     in GLSA 200705-19.
    Stanislav Malyshev found an error with unknown impact in the     money_format() function when processing '%i' and '%n' tokens     (CVE-2007-4658). zatanzlatan reported a buffer overflow in the     php_openssl_make_REQ() function with unknown impact when providing a     manipulated SSL configuration file (CVE-2007-4662). Possible memory     corruption when trying to read EXIF data in exif_read_data() and     exif_thumbnail() occurred with unknown impact.
    Several vulnerabilities that allow bypassing of open_basedir and other     restrictions were reported, including the glob() function     (CVE-2007-4663), the session_save_path(), ini_set(), and error_log()     functions which can allow local command execution (CVE-2007-3378),     involving the readfile() function (CVE-2007-3007), via the Session     extension (CVE-2007-4652), via the MySQL extension (CVE-2007-3997) and     in the dl() function which allows loading extensions outside of the     specified directory (CVE-2007-4825).
    Multiple Denial of Service vulnerabilities were discovered, including a     long 'library' parameter in the dl() function (CVE-2007-4887), in     several iconv and xmlrpc functions (CVE-2007-4840 and CVE-2007-4783),     in the setlocale() function (CVE-2007-4784), in the glob() and     fnmatch() function (CVE-2007-4782 and CVE-2007-3806), a floating point     exception in the wordwrap() function (CVE-2007-3998), a stack     exhaustion via deeply nested arrays (CVE-2007-4670), an infinite loop     caused by a specially crafted PNG image in the png_read_info() function     of libpng (CVE-2007-2756) and several issues related to array     conversion.
  Impact :

    Remote attackers might be able to exploit these issues in PHP     applications making use of the affected functions, potentially     resulting in the execution of arbitrary code, Denial of Service,     execution of scripted contents in the context of the affected site,     security bypass or information leak.
  Workaround :

    There is no known workaround at this time.

The remote host is affected by the vulnerability described in GLSA-200709-16 (Lighttpd: Buffer overflow)

    Mattias Bengtsson and Philip Olausson have discovered a buffer overflow     vulnerability in the function fcgi_env_add() in the file mod_fastcgi.c     when processing overly long HTTP headers.
  Impact :

    A remote attacker could send a specially crafted request to the     vulnerable Lighttpd server, resulting in the remote execution of     arbitrary code with privileges of the user running the web server. Note     that mod_fastcgi is disabled in Gentoo's default configuration.
  Workaround :

    Edit the file /etc/lighttpd/lighttpd.conf and comment the following     line: 'include mod_fastcgi.conf'

Several vulnerabilities were discovered in lighttpd, a fast webserver with minimal memory footprint, which could allow the execution of arbitrary code via the overflow of CGI variables when mod_fcgi was enabled. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-3946     The use of mod_auth could leave to a denial of service     attack crashing the webserver.

  - CVE-2007-3947     The improper handling of repeated HTTP headers could     cause a denial of service attack crashing the webserver.

  - CVE-2007-3949     A bug in mod_access potentially allows remote users to     bypass access restrictions via trailing slash     characters.

  - CVE-2007-3950     On 32-bit platforms users may be able to create denial     of service attacks, crashing the webserver, via     mod_webdav, mod_fastcgi, or mod_scgi.

The remote web server appears to be lighttpd running with the FastCGI module (mod_fastcgi). The version of the FastCGI module on the remote host is affected by a buffer overflow vulnerability. A remote attacker can exploit this, by sending a specially crafted request with a long header, to add or replace headers passed to PHP, such as SCRIPT_FILENAME, which in turn could result in arbitrary code execution.

This update fixes a buffer overflow in the fcgi_env_add() function.
Under some circumstances this bug allows remote code execution.
(CVE-2007-4727)

The remote host is running Lighttpd, a small web server.  This version of Lighttpd is vulnerable to a buffer overflow via the 'mod_fastcgi' module.  An attacker exploiting this flaw would only need the ability to send large, malformed requests to the 'mod_fastcgi' module.  Successful exploitation would result in the attacker executing arbitrary code.

ID	Name	Product	Family	Published	Updated	Severity
26037	FreeBSD : lighttpd -- FastCGI header overrun in mod_fastcgi (4b673ae7-5f9a-11dc-84dd-000102cc8983)	Nessus	FreeBSD Local Security Checks	9/14/2007	1/6/2021	medium
27752	Fedora 7 : lighttpd-1.4.18-1.fc7 (2007-2132)	Nessus	Fedora Local Security Checks	11/6/2007	1/11/2021	medium
26942	GLSA-200710-02 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	10/9/2007	1/6/2021	high
26214	GLSA-200709-16 : Lighttpd: Buffer overflow	Nessus	Gentoo Local Security Checks	10/3/2007	1/6/2021	medium
25962	Debian DSA-1362-2 : lighttpd - several vulnerabilities	Nessus	Debian Local Security Checks	9/3/2007	1/4/2021	high
26057	lighttpd mod_fastcgi HTTP Request Header Remote Overflow	Nessus	Web Servers	9/17/2007	7/13/2018	medium
27341	openSUSE 10 Security Update : lighttpd (lighttpd-4532)	Nessus	SuSE Local Security Checks	10/17/2007	1/14/2021	medium
4206	Lighttpd < 1.4.18 mod_fastcgi HTTP Request Header Overflow	Nessus Network Monitor	Web Servers	9/10/2007	3/6/2019	medium

Detections

Analytics

Plugins Search

medium

medium

high

medium

high

medium

medium

medium