This script is Copyright (C) 2014 Tenable Network Security, Inc.
The version of lighttpd running on the remote web server is potentially
affected by multiple vulnerabilities.
According to its self-reported version, the lighttpd install on the
remote host is a version prior to 1.4.35. It is, therefore, potentially
affected by the following security issues :
- A SQL injection flaw exists in the 'mod_mysql_vhost'
module where user input passed using the hostname is not
properly sanitized. This could allow a remote attacker
to inject or manipulate SQL queries allowing the
manipulation and disclosure of data. (CVE-2014-2323)
- A traverse outside of restricted path flaw exists with
the 'mod_evhost' and 'mod_simple_vhost' modules where
user input passed using the hostname is not properly
sanitized. This could allow a remote attacker to gain
access to potentially sensitive data. (CVE-2014-2324)
Note that Nessus has not tested for this issue but has instead
relied only on the version in the server's banner.
See also :
Either upgrade to lighttpd version 1.4.35 or later or apply the
Risk factor :
High / CVSS Base Score : 7.5
CVSS Temporal Score : 6.5
Public Exploit Available : true