lighttpd < 1.4.36 Multiple Vulnerabilities
Medium Nessus Plugin ID 106627
SynopsisThe remote web server is affected by a log injection vulnerability
DescriptionAccording to its banner, the version of lighttpd running on the remote host is prior to 1.4.36. It is, therefore, affected by the following vulnerabilities :
- mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to lighttpd version 1.4.36. Alternatively, apply the vendor-supplied patch.