mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.

The remote Ubuntu 16.04 ESM / 18.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4775-1 advisory.

  - mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic     HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and     new line character. (CVE-2015-3200)

  - An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is     potential ../ path traversal of a single directory above an alias target, with a specific mod_alias     configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path     does have a trailing '/' character. (CVE-2018-19052)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.36. It is, therefore, affected by mod_auth vulnerability that allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.36. It is, therefore, affected by the following vulnerabilities :

  - mod_auth in lighttpd before 1.4.36 allows remote attackers     to inject arbitrary log entries via a basic HTTP authentication     string without a colon character, as demonstrated by a string     containing a NULL and new line character.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

MITRE reports :

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.

Latest upstream security release :

http://www.lighttpd.net/2015/7/26/1.4.36/

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
183126	Ubuntu 16.04 ESM / 18.04 ESM : Lighttpd vulnerabilities (USN-4775-1)	Nessus	Ubuntu Local Security Checks	high
112359	lighttpd < 1.4.36 mod_auth Arbitrary Log Entries Injection	Web App Scanning	Component Vulnerability	high
106627	lighttpd < 1.4.36 Multiple Vulnerabilities	Nessus	Web Servers	high
85319	FreeBSD : lighttpd -- Log injection vulnerability in mod_auth (dd7f29cc-3ee9-11e5-93ad-002590263bf5)	Nessus	FreeBSD Local Security Checks	high
85290	Fedora 22 : lighttpd-1.4.36-1.fc22 (2015-12252)	Nessus	Fedora Local Security Checks	high
85289	Fedora 21 : lighttpd-1.4.36-1.fc21 (2015-12250)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2015-3200

high

Tenable Plugins

high

high

high

high

high

high