| VID |
22543 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Web server is running a version of lighttpd which is older than 1.4.20. lighttpd is a web server that provides an interface to external programs and allows Web applications to run separate chroot.
According to its banner, the version of lighttpd installed on the remote host is older than 1.4.30 and is potentially affected by a denial of service vulnerability.
The HTTP server allows out-of-bounds values to be decoded during the auth process and later uses these values as offsets. Using negative values as offsets can result in application crashes.
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.lighttpd.net/2011/12/18/1-4-30-faster-than-santa-your-first-present-this-year
http://redmine.lighttpd.net/issues/2370
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt
* Platforms Affected:
lighttpd versions prior to 1.4.30
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of lighttpd (1.4.30 or later), available from the lighttpd Download Web site at http://lighttpd.net/download/ |
| Related URL |
CVE-2011-4362 (CVE) |
| Related URL |
50851 (SecurityFocus) |
| Related URL |
(ISS) |
|
