According to its banner, the version of lighttpd running on the remote host is prior to 1.4.30. It is, therefore, affected by a denial of service vulnerability. The HTTP server allows out-of-bounds values to be decoded during the auth process and later uses these values as offsets. Using negative values as offsets can result in application crashes.

Note that the scanner has not tested for this issue but has instead relied only on the application's self-reported version number.

Several vulnerabilities have been discovered in lighttpd, a small and fast webserver with minimal memory footprint.

  - CVE-2011-4362     Xi Wang discovered that the base64 decoding routine     which is used to decode user input during an HTTP     authentication, suffers of a signedness issue when     processing user input. As a result it is possible to     force lighttpd to perform an out-of-bounds read which     results in Denial of Service conditions.

  - CVE-2011-3389     When using CBC ciphers on an SSL enabled virtual host to     communicate with certain client, a so called 'BEAST'     attack allows man-in-the-middle attackers to obtain     plaintext HTTP traffic via a blockwise chosen-boundary     attack (BCBA) on an HTTPS session. Technically this is     no lighttpd vulnerability. However, lighttpd offers a     workaround to mitigate this problem by providing a     possibility to disable CBC ciphers.

  This updates includes this option by default. System administrators   are advised to read the NEWS file of this update (as this may break   older clients).

The remote Solaris system is missing necessary patches to address security updates :

  - Integer signedness error in the base64_decode function     in the HTTP authentication functionality (http_auth.c)     in lighttpd 1.4 before 1.4.30 and 1.5 before SVN     revision 2806 allows remote attackers to cause a denial     of service (segmentation fault) via crafted base64 input     that triggers an out-of-bounds read with a negative     index. (CVE-2011-4362)

This update of lighttpd fixes an out-of-bounds read due to a signedness error which could cause a Denial of Service (CVE-2011-4362). Additionally an option was added to honor the server cipher order (resolves lighttpd#2364).

This update fixes CVE-2011-4362 by updating to the latest release. It also fixes problems that had been reported with previous releases, such as ssl-related crashes on startup. This update fixes some minor SSL related problems, as well as a connection stall bug. This update fixes some minor SSL related problems, as well as a connection stall bug. This update fixes some minor SSL related problems, as well as a connection stall bug.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.30. It is, therefore, affected by a denial of service vulnerability. The HTTP server allows out-of-bounds values to be decoded during the auth process and later uses these values as offsets. Using negative values as offsets can result in application crashes.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201406-10 (lighttpd: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in lighttpd. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could create a Denial of Service condition.
      Futhermore, a remote attacker may be able to execute arbitrary SQL       statements.
  Workaround :

    There is no known workaround at this time.

- added lighttpd-1.4.30_head_fixes.patch: cherry picked 4     fixes from HEAD :

  - [ssl] include more headers explicitly

  - list all network handlers in lighttpd -V (fixes     lighttpd#2376)

  - Move fdevent subsystem includes to implementation files     to reduce conflicts (fixes lighttpd#2373)

  - [ssl] fix segfault in counting renegotiations for     openssl versions without TLSEXT/SNI

  - update to 1.4.30: (bnc#733607)

  - Always use our &lsquo;own&rsquo; md5 implementation,     fixes linking issues on MacOS (fixes #2331)

  - Limit amount of bytes we send in one go; fixes stalling     in one connection and timeouts on slow systems.

  - [ssl] fix build errors when Elliptic-Curve     Diffie-Hellman is disabled

  - Add static-file.disable-pathinfo option to prevent     handling of urls like &hellip;/secret.php/image.jpg as     static file

  - Don&rsquo;t overwrite 401 (auth required) with 501     (unknown method) (fixes #2341)

  - Fix mod_status bug: always showed &ldquo;0/0&rdquo; in     the &ldquo;Read&rdquo; column for uploads (fixes #2351)

  - [mod_auth] Fix signedness error in http_auth (fixes     #2370, CVE-2011-4362)

  - [ssl] count renegotiations to prevent client     renegotiations

  - [ssl] add option to honor server cipher order (fixes     #2364, BEAST attack)

  - [core] accept dots in ipv6 addresses in host header     (fixes #2359)

  - [ssl] fix ssl connection aborts if files are larger than     the MAX_WRITE_LIMIT (256kb)

  - [libev/cgi] fix waitpid ECHILD errors in cgi with libev     (fixes #2324)

  - add automake as buildrequire to avoid implicit     dependency

US-CERT/NIST reports :

Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.

Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.

ID	Name	Product	Family	Published	Updated	Severity
112355	lighttpd < 1.4.30 base64_decode Function Out-of-Bounds Read Error DoS	Web App Scanning	Component Vulnerability	11/5/2018	3/14/2023	high
57508	Debian DSA-2368-1 : lighttpd - multiple vulnerabilities (BEAST)	Nessus	Debian Local Security Checks	1/12/2012	12/5/2022	medium
80697	Oracle Solaris Third-Party Patch Update : lighttpd (cve_2011_4362_denial_of)	Nessus	Solaris Local Security Checks	1/19/2015	1/14/2021	medium
75941	openSUSE Security Update : lighttpd (openSUSE-SU-2012:0240-1)	Nessus	SuSE Local Security Checks	6/13/2014	1/19/2021	medium
59690	Fedora 16 : lighttpd-1.4.31-1.fc16 (2012-9078)	Nessus	Fedora Local Security Checks	6/26/2012	1/11/2021	medium
57410	lighttpd < 1.4.30 base64_decode Function Out-of-Bounds Read Error DoS	Nessus	Web Servers	12/28/2011	11/15/2018	medium
76062	GLSA-201406-10 : lighttpd: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	6/16/2014	1/6/2021	high
74546	openSUSE Security Update : lighttpd (openSUSE-2012-110)	Nessus	SuSE Local Security Checks	6/13/2014	1/19/2021	medium
57411	FreeBSD : lighttpd -- remote DoS in HTTP authentication (c6521b04-314b-11e1-9cf4-5404a67eef98)	Nessus	FreeBSD Local Security Checks	12/29/2011	1/6/2021	medium
69597	Amazon Linux AMI : lighttpd (ALAS-2012-107)	Nessus	Amazon Linux Local Security Checks	9/4/2013	4/18/2018	medium
59689	Fedora 17 : lighttpd-1.4.31-1.fc17 (2012-9040)	Nessus	Fedora Local Security Checks	6/26/2012	1/11/2021	medium

Detections

Analytics

Plugins Search

high

medium

medium

medium

medium

medium

high

medium

medium

medium

medium