lighttpd < 1.4.36 mod_auth Arbitrary Log Entries Injection
Medium Web Application Scanning Plugin ID 112359
Synopsislighttpd < 1.4.36 mod_auth Arbitrary Log Entries Injection
DescriptionAccording to its banner, the version of lighttpd running on the remote host is prior to 1.4.36. It is, therefore, affected by mod_auth vulnerability that allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a
string containing a NULL and new line character.
Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to lighttpd version 1.4.36 or later.