lighttpd on Windows < 1.4.10a Crafted Filename Request Script Source Disclosure

Medium Nessus Plugin ID 21155


The remote web server is affected by an information disclosure vulnerability.


According to its banner, the version of lighttpd running on the remote Windows host is prior to 1.4.10a. It is, therefore, affected by an information disclosure vulnerability due to a failure to properly validate filename extensions in URLs. A remote attacker can exploit this issue, via specially crafted requests with dot and space characters, to disclose the source of scripts hosted by the affected application.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.


Upgrade to lighttpd for Windows version 1.4.10a or later.

See Also

Plugin Details

Severity: Medium

ID: 21155

File Name: lighttpd_script_source_disclosure.nasl

Version: $Revision: 1.20 $

Type: remote

Family: Web Servers

Published: 2006/03/27

Modified: 2018/02/07

Dependencies: 106628

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:U/RC:C


Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:U/RC:C

Vulnerability Information

CPE: cpe:/a:lighttpd:lighttpd

Required KB Items: installed_sw/lighttpd

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2006/03/01

Exploitable With

CANVAS (D2ExploitPack)

Reference Information

CVE: CVE-2006-0814

BID: 16893

OSVDB: 23542