| VID |
22454 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The lighttpd Web Server is vulnerable to an information disclosure vulnerability associated with the Status module. lighttpd is a web server that provides an interface to external programs and allows Web applications to run separate chroot. The Status module (mod_status) in the installation of lighttpd on the target host supports the feature designed to help administrate the system by displaying server statistics, such as uptime, average throughput, current throughput, active connections and their state, and so on. A malicious user viewing this information may be able to use it to stage further attacks on the server.
* References:
http://trac.lighttpd.net/trac/wiki/Docs%3AModStatus
* Platforms Affected:
lighttpd Any version
Any operating system Any version |
| Recommendation |
Consider the following recommendations:
- Remove the feature if it is not needed (by deactivating "mod_status" module and url config in lighttpd.conf)
- Restrict access to trusted IP addresses only.
- Reconfigure lighttpd to require authentication for the affected URL(s). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
