This script is Copyright (C) 2008-2015 Tenable Network Security, Inc.
The remote Gentoo host is missing one or more security-related
The remote host is affected by the vulnerability described in GLSA-200804-08
(lighttpd: Multiple vulnerabilities)
Julien Cayzax discovered that an insecure default setting exists in
mod_userdir in lighttpd. When userdir.path is not set the default value
used is $HOME. It should be noted that the 'nobody' user's $HOME is '/'
(CVE-2008-1270). An error also exists in the SSL connection code which
can be triggered when a user prematurely terminates his connection
A remote attacker could exploit the first vulnerability to read
arbitrary files. The second vulnerability can be exploited by a remote
attacker to cause a Denial of Service by terminating a victim's SSL
As a workaround for CVE-2008-1270 you can set userdir.path to a
sensible value, e.g. 'public_html'.
See also :
All lighttpd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=www-servers/lighttpd-1.4.19-r2'
Risk factor :
Medium / CVSS Base Score : 5.0
Family: Gentoo Local Security Checks
Nessus Plugin ID: 31955 (gentoo_GLSA-200804-08.nasl)
CVE ID: CVE-2008-1270CVE-2008-1531
The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.