| VID |
22450 |
| Severity |
30 |
| Port |
8088, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The LiteSpeed Web Server is vulnerable to a source code disclosure vulnerability via the NULL character. LiteSpeed Web Server could allow a remote attacker to obtain sensitive information, caused by a flaw in its handling of MIME types. By sending a specially-crafted URL request containing a filename followed by a null character (%00.) and an extension, such as '.txt', a remote attacker could exploit this vulnerability to view the source code of arbitrary scripts.
* References:
http://www.litespeedtech.com/support/forum/showthread.php?t=1445
http://www.litespeedtech.com/latest/litespeed-web-server-3.2.4-released.html
http://www.milw0rm.com/exploits/4556
http://secunia.com/advisories/27302
* Platforms Affected:
LiteSpeed Technologies, LiteSpeed Web Server version 3.2.3 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of LiteSpeed (3.2.4 or later), available from the LiteSpeed Technologies Download Web site at http://www.litespeedtech.com/download/litespeed-web-server-download |
| Related URL |
CVE-2007-5654 (CVE) |
| Related URL |
26163 (SecurityFocus) |
| Related URL |
37380 (ISS) |
|
