This script is Copyright (C) 2014 Tenable Network Security, Inc.
The version of lighttpd running on the remote web server is potentially
affected by multiple vulnerabilities.
According to its self-reported version, the lighttpd install on the
remote host is a version prior to 1.4.35. It is, therefore, potentially
affected by the following security issues :
- A SQL injection flaw exists in the 'mod_mysql_vhost'
module where user input passed using the hostname is not
properly sanitized. This could allow a remote attacker
to inject or manipulate SQL queries allowing the
manipulation and disclosure of data. (CVE-2014-2323)
- A traverse outside of restricted path flaw exists with
the 'mod_evhost' and 'mod_simple_vhost' modules where
user input passed using the hostname is not properly
sanitized. This could allow a remote attacker to gain
access to potentially sensitive data. (CVE-2014-2324)
Note that Nessus has not tested for this issue but has instead
relied only on the version in the server's banner.
See also :
Either upgrade to lighttpd version 1.4.35 or later or apply the
Risk factor :
High / CVSS Base Score : 7.5
CVSS Temporal Score : 6.5
Public Exploit Available : true
Family: Web Servers
Nessus Plugin ID: 73123 ()
Bugtraq ID: 6615366157
CVE ID: CVE-2014-2323CVE-2014-2324
The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.