| VID |
22453 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The lighttpd Web Server is vulnerable to a buffer overflow vulnerability in the mod_fastcgi extension. lighttpd is a web server that provides an interface to external programs and allows Web applications to run separate chroot. The lighttpd version 1.4.17 and earlier versions could allow a remote attacker to execute arbitrary code on the system, caused due to a buffer overflow error in the mod_fastcgi extension when handling headers in a HTTP request. By sending a specially-crafted request with an overly large contentLength value, a remote attacker could exploit this vulnerability to execute arbitrary code on the affected host.
* References:
http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
http://trac.lighttpd.net/trac/changeset/1986
http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/
http://www.securityfocus.com/archive/1/archive/1/479763/100/0/threaded
http://securityreason.com/securityalert/3127
http://www.frsirt.com/english/advisories/2007/3110
http://secunia.com/advisories/26732
* Platforms Affected:
lighttpd version 1.4.17 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of lighttpd (1.4.18 or later), available from the lighttpd Download Web site at http://lighttpd.net/download/ |
| Related URL |
CVE-2007-4727 (CVE) |
| Related URL |
25622 (SecurityFocus) |
| Related URL |
36526 (ISS) |
|
