lighttpd Status Module Remote Information Disclosure

medium Nessus Plugin ID 26058

Synopsis

The remote web server is affected by an information disclosure vulnerability.

Description

The instance of lighttpd running on the remote host allows unauthenticated access to URLs associated with the Status module (mod_status), at least from the Nessus server. Mod_status reports information about how the web server is configured and its usage, and it may prove useful to an attacker seeking to attack the server or host.

Solution

Reconfigure lighttpd to require authentication for the affected URL(s), restrict access to them by IP address, or disable the Status module itself.

See Also

http://www.nessus.org/u?3151c73a

Plugin Details

Severity: Medium

ID: 26058

File Name: lighttpd_status_enabled.nasl

Version: 1.16

Type: remote

Family: Web Servers

Published: 9/17/2007

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

CPE: cpe:/a:lighttpd:lighttpd

Required KB Items: installed_sw/lighttpd