lighttpd < 1.4.35 Multiple Vulnerabilities
High Web Application Scanning Plugin ID 112358
Synopsislighttpd < 1.4.35 Multiple Vulnerabilities
DescriptionAccording to its banner, the version of lighttpd running on the remote host is prior to 1.4.35. It is, therefore, affected by the following vulnerabilities :
- A SQL injection flaw exists in the 'mod_mysql_vhost' module where user input passed using the hostname is not properly sanitized. A remote attacker can exploit this to inject or manipulate SQL queries, resulting in the manipulation or disclosure of data. (CVE-2014-2323)
- A traverse outside of restricted path flaw exists with the 'mod_evhost' and 'mod_simple_vhost' modules where user input passed using the hostname is not properly sanitized. A remote attacker can exploit this to gain access to potentially sensitive data. (CVE-2014-2324)
Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to lighttpd version 1.4.35 or later.